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© 2002-2003 by Intrusion Inc. 
All Rights Reserved 

Intrusion Inc. makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of 
merchantability and fitness for a particular purpose. Intrusion Inc. shall not be liable for errors contained herein or for direct, indirect, 
special, incidental, or consequential damages in connection with the furnishing, performance, or use of this material. 

No part of this work may be reproduced or transmitted in any fomi or by any means, electronic or mechanical, including photocopying 
and recording, or by any information storage or retrieval system, except as expressly permitted by Intrusion Inc. 

Intrusion Inc. reserves the right to make corrections, updates, or revisions to this information. 

Restricted Rights Legend 

Use, duplication, or disclosure by the U. S. Government is subject to restrictions set forth in subparagraph (c)(l)(ii) of the Rights in 
Technical Data and Computer Software clause at DFARS 252.227-7013 and in similar clauses in the FAR and NASA FAR Supplement. 

Trademarks 

Intrusion Inc., the Intrusion logo mark, and SecureNet are trademarks of Intrusion Inc. 

Check Point, FireWall-1, VPN-1, and OPSEC are trademarks or registered trademarks of Check Point Software Technologies, Ltd. or 
its affiliates. 

Netscape is a registered trademark of Netscape Communications Corporation in the U.S. and other countries. 
Microsoft, Windows, and Internet Explorer are trademarks or registered trademarks of Microsoft Corporation. 
Adobe and Acrobat are trademarks or registered trademarks of Adobe Systems Incorporated. 
All other brands and trademarks used in this document are the properties of their respective owners. 

GNU Public License 

Some of the software used in products described in this user guide are from open sources subject to the GNU General Public License as 
published by the Free Software Foundation. They may have been used verbatim or modified to fit our particular requirements. 

These programs are free software which can be redistributed and/or modified under the terms of the GNU General Public License. 

These programs are distributed WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. 

For a copy of the GNU General Public License, go to http://www.gnu.org/copyleft/gpl.html or write to: 

Free Software Foundation, Inc. 
59 Temple Place - Suite 330 
Boston, MA 02 1 1 1 - 1 307, USA 

For additional information regarding the open-sourced programs used in our products and how you can get the source code for these 
programs, contact us at the addresses on the next page. 
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For questions, assistance, or suggestions, please contact: 



Intrusion Inc. Technical Services Group 



Phone 1-888-637-7770 

FAX 1-972-234-4059 

E-mail help@intrusion.com 

Hours 8:00 AM - 6:00 PM (Central Time Zone) 

Monday through Friday 
Address 1101 E. Arapaho Road 

Richardson, Texas 75081 
Web site www.intrusion.com 



Printed in the United States of America. 
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Intrusion Inc. Software 

License Agreement m/imsum* 



IMPORTANT 

PLEASE READ CAREFULLY BEFORE CONTINUING WITH THIS INSTALLATION. AT THE END 
OF THE LICENSE TERMS AND CONDITIONS STATED BELOW, YOU WILL BE ASKED TO 
ACCEPT OR REJECT SUCH TERMS. BY INDICATING YOUR ACCEPTANCE, YOU AGREE TO BE 
BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. 

This is a legal agreement between the end user ("You") and Intrusion Inc., its affiliates and subsidiaries 
(collectively "INTRUSION"). This Agreement may be superseded by any written agreement signed by both 
You and INTRUSION. This Agreement is part of a package (the "Package") that may also include a sealed 
CD-ROM disk, sealed diskettes (collectively, the "Disk") or a downloaded installation package from the 
INTRUSION web site and certain written materials delivered to You in hard copy or electronic format (the 
"INTRUSION documentation"). 

1 GRANT OF LICENSE. Subject to the terms and conditions of this License Agreement, INTRUSION grants You a non-exclusive, non-transferable license, to use 
the following INTRUSION software program (the "SOFTWARE") in accordance with the instructions contained in the INTRUSION documentation. INTRUSION 
software can be installed on or assess computers or devices up to the total number of copies authorized for each respective operating system or device. The 
software for each central monitoring station, "Consoles" and "Managers" can be installed up to the total number of copies authorized for each device. 

2 OWNERSHIP AND COPYRIGHT. Title to the SOFTWARE, including its component parts and user interface, and associated INTRUSION documentation, and 
patents, copyrights and all other property rights applicable thereto, shall at all times remain solely and exclusively with INTRUSION and its suppliers, and the 
Customer shall not take any action inconsistent with such title. The SOFTWARE is protected by United States, Canadian and other applicable laws and by 
international treaty provisions. Therefore, You must treat the SOFTWARE and INTRUSION documentation like any other copyrighted materials except that You 
may (a) make one copy of the SOFTWARE solely for backup and archival purposes, and (b) make a reasonable number of copies of the INTRUSION 
documentation for Your internal use only, provided all copyright notices, trademarks and other proprietary rights legends affixed to or contained within the original 
SOFTWARE and INTRUSION documentation are reproduced on the copies and that they are not removed from the original SOFTWARE or INTRUSION 
documentation itself. Any rights not expressly granted herein are reserved to INTRUSION and its suppliers. 

3 OTHER RESTRICTIONS. You may not cause or permit disclosure, copy (except as expressly permitted above), rent, license, sublicense, lease, disseminate or 
otherwise distribute or transfer the SOFTWARE, by any means or in any form, without the prior written consent of INTRUSION. You may not use any component 
part of the SOFTWARE owned by an INTRUSION supplier as a standalone program or in any way independently of the SOFTWARE provided to You by 
INTRUSION. You may not modify, enhance, supplement, create derivative works from, adapt, translate, reverse engineer, decompile, disassemble or otherwise 
reduce the SOFTWARE to human readable form, except and only to the extent such activity is expressly permitted by applicable law notwithstanding this 
provision. You shall not remove, obscure or alter INTRUSION'S copyright notices, trademarks, or other proprietary rights legends affixed to or contained within 
the SOFTWARE. 

4 LIMITED WARRANTY. INTRUSION grants a limited warranty only to You that the SOFTWARE will perform substantially in accordance with the INTRUSION 
documentation for a period of 90 days from the date of delivery by INTRUSION. You may contact INTRUSION regarding support service issues during this 90 
day period. INTRUSION does not warrant that the functions or features contained in the SOFTWARE will meet Your requirements or that the operation of the 
SOFTWARE Media will be uninterrupted or error free. You may enter into a separate support service contract directly with INTRUSION for support issues that 
may arise following the expiration of the 90 day limited warranty. If You choose not to enter into a separate support service contract, any and all related and 
subsequent support issues shall be directed to the party from which You purchased this license. 

YOU UNDERSTAND THAT, IF YOU PURCHASED THE PACKAGE FROM AN AUTHORIZED RESELLER OF INTRUSION, THAT RESELLER IS NOT 
INTRUSION'S AGENT AND IS NOT AUTHORIZED TO MAKE ANY REPRESENTATIONS, CONDITIONS OR WARRANTIES, STATUTORY OR OTHERWISE, 
ON INTRUSION'S BEHALF NOR TO VARY ANY OF THE TERMS OR CONDITIONS OF THIS AGREEMENT. IN ADDITION, YOU ACKNOWLEDGE THAT, 
EXCEPT TO THE EXTENT OTHERWISE AGREED BY THAT RESELLER IN WRITING OR PROHIBITED BY LAW, THE LIMITATIONS OF CONDITIONS AND 
WARRANTIES, STATUTORY OR OTHERWISE, AND LIABILITY SET FORTH IN THIS AGREEMENT ALSO APPLY TO AND BENEFIT THAT RESELLER. 

5 CUSTOMER REMEDIES. INTRUSION'S entire liability and Your exclusive remedy for breach of the Limited Warranty shall be at INTRUSION'S option, either (a) 
return of the price paid by You solely for the SOFTWARE, which is returned to INTRUSION and determined by INTRUSION not to be in compliance, or (b) repair 
and replacement of the SOFTWARE which does not meet INTRUSION'S Limited Warranty. Any replacement SOFTWARE will be warranted for the remainder of 
the original warranty period or 30 days, whichever is longer. The Limited Warranty is void if failure of the SOFTWARE has resulted from causes other than normal 
use, including but not limited to, unauthorized repairs, maintenance or modifications to the SOFTWARE, accident, abuse, negligence, misapplication, or failure to 
use the SOFTWARE in accordance with the INTRUSION documentation. EXCEPT FOR THE FOREGOING EXPRESS CONDITIONS AND WARRANTIES 
MADE BY INTRUSION, INTRUSION AND ITS SUPPLIERS DISCLAIM ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, STATUTORY OR 
OTHERWISE, BOTH EXPRESS AND IMPLIED, WITH RESPECT TO THE SOFTWARE, ITS QUALITY AND PERFORMANCE AND THE ACCOMPANYING 
INTRUSION DOCUMENTATION AND OTHER WRITTEN MATERIALS, INCLUDING BUT NOT LIMITED TO IMPLIED CONDITIONS OR WARRANTIES, 
STATUTORY OR OTHERWISE, OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NON-INFRINGEMENT. Some jurisdictions 
do not allow the exclusion of implied conditions or warranties, statutory or otherwise, so the above exclusion may not apply to You. This warranty gives You 
specific legal rights, and You may also have other rights which vary from jurisdiction to jurisdiction. 

6 LIMITATION OF LIABILITY. INTRUSION AND ITS SUPPLIERS' LIABILITY WILL BE LIMITED IN ANY EVENT TO ACTUAL DIRECT DAMAGES TO THE 
EXTENT CAUSED SOLELY BY THE ACTS OR OMISSIONS OF INTRUSION, SUBJECT TO A MAXIMUM AGGREGATE LIABILITY FOR ALL CLAIMS OF THE 
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AMOUNT PAID FOR THE SPECIFIC PRODUCT WHICH DIRECTLY CAUSED SUCH DAMAGE. IN NO EVENT SHALL INTRUSION OR ITS SUPPLIERS BE 
LIABLE FOR ANY SPECIAL, INDIRECT, CONSEQUENTIAL, EXEMPLARY, PUNITIVE OR INCIDENTAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT 
LIMITATION, DAMAGE FOR LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS, DAMAGE OR DESTRUCTION OF DATA, LOSS OF GOOD 
WILL, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES OR OTHER PECUNIARY LOSS) WHETHER BASED IN CONTRACT, TORT 
OR PRODUCTS LIABILITY, INCLUDING NEGLIGENCE AND/OR STRICT LIABILITY, ARISING OUT OF THE USE OF OR INABILITY TO USE THE 
SOFTWARE OR THE INTRUSION DOCUMENTATION, EVEN IF INTRUSION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH 
DAMAGES. Some jurisdictions do not allow the exclusion or limitation of special, indirect, consequential, exemplary or incidental damages or the limitation of 
liability to specified amounts, so the above limitation and exclusion may not apply to You. 

7 TERMINATION. INTRUSION shall have the right to terminate this Agreement after giving written notice to You of Your failure to satisfy any of Your obligations 
hereunder if You then fail to cure such failure to INTRUSION'S satisfaction within thirty (30) days after receiving such notice. In addition, INTRUSION shall have 
the right to terminate this Agreement in the event You cease to do business or become bankrupt. Upon any such termination: (a) You shall cease all use of all 
copies of the SOFTWARE and INTRUSION documentation which You received hereunder; and (b) You shall return to INTRUSION all copies of the SOFTWARE 
and INTRUSION documentation, including any copies or partial copies. 

8 GENERAL. This Agreement constitutes the entire understanding between INTRUSION and You with respect to subject matter hereof. Any change to this 
Agreement must be in writing, signed by INTRUSION and You. Terms and conditions as set forth in any purchase order which differ from, conflict with, or are not 
included in this License Agreement, shall not become part of this Agreement unless specifically accepted by INTRUSION in writing. You shall be responsible for 
and shall pay, and shall reimburse INTRUSION on request if INTRUSION is required to pay, any sales, use, withholding, value added tax (VAT), consumption or 
other tax (excluding any tax that is based on INTRUSION'S net income), assessment, duty, tariff, or other fee or charge of any kind or nature that is levied or 
imposed by any governmental authority on the SOFTWARE. 

9 U.S. GOVERNMENT RESTRICTED RIGHTS LEGEND. The Software is provided with RESTRICTED RIGHTS. The Software is a "commercial item" as defined 
at FAR 2.101, consisting of "commercial computer software" and "commercial computer software documentation" as such terms are used in FAR 12.212. 
Consistent with FAR 12.212 and DFARS 227.7202, use, duplication, or disclosure by the U.S. Government is subject to restrictions as set forth in this License 
Agreement. The contractor/manufacturer is Intrusion Inc., 1101 East Arapaho, Richardson, TX 75081 U.S.A. 

10 EXPORT AND IMPORT COMPLIANCE. You shall comply with all applicable export and re-export laws, regulations and requirements, as the case may be. You 
may need an export license or re-export authorization in order to comply with United States law. Receipt of the SOFTWARE may be considered an "import" within 
the meaning of some countries' laws. INTRUSION has undertaken to comply with various countries' applicable laws and regulations governing the import or use 
of encryption wherever possible. However, INTRUSION cannot warrant such compliance and hereby specifically disclaims all liability, to the extent permitted 
under applicable law, for any violation of the laws or regulations of countries other than the United States relating to import or use of the SOFTWARE. 

11 GOVERNING LAW; ARBITRATION. This Agreement shall be governed by, and any arbitration hereunder shall apply, the laws of the State of Texas, U.S.A., 
excluding (a) its conflicts of laws principles and (b) the United Nations Convention on Contracts for the International Sale of Goods (including, without limitation, 
the 1974 Convention on the Limitation Period in the International Sale of Goods and the Protocol amending the 1974 Convention, done at Vienna April 11, 1980). 
Any dispute, controversy or claim arising out of or relating to this Agreement or to a breach hereof, including its interpretation, performance or termination, shall 
be finally resolved by arbitration. The arbitration shall be conducted by three (3) arbitrators, one to be appointed by INTRUSION, one to be appointed by You and 
a third being nominated by the two arbitrators so selected or, if they cannot agree on a third arbitrator, by the President of the American Arbitration Association 
("AAA"). The arbitration shall be conducted in English and in accordance with the commercial arbitration rules of the AAA, which shall administer the arbitration 
and act as appointing authority. The arbitration, including the rendering of the award, shall take place in Dallas, Texas, and shall be the exclusive forum for 
resolving such dispute, controversy or claim. The arbitrators' decision shall: (a) be in writing; (b) include reasons for the factual and legal conclusions therein; and 
(c) shall be consistent with the provisions of Section 5 and Section 6 of this License Agreement. The decision of the arbitrators shall be binding upon the parties 
thereto, and the expense of the arbitration (including without limitation the award of attorneys' fees to the prevailing party) shall be paid as the arbitrators 
determine. The decision of the arbitrators shall be executory, and judgment thereon may be entered by any court of competent jurisdiction. Notwithstanding 
anything contained in this Paragraph 11 to the contrary, INTRUSION shall have the right to institute judicial proceedings against You or anyone acting by, through 
or under You, in order to enforce INTRUSION'S rights hereunder through reformation of contract, specific performance, injunction or similar equitable relief. 

12 MISCELLANEOUS. Neither this Agreement nor any rights or obligations hereunder may be assigned or delegated (whether by operation of law or otherwise) by 
You without INTRUSION'S prior written consent. The parties are independent contractors and neither party shall have any right, power or authority to create any 
obligation or responsibility on behalf of the other. If any provision of this License Agreement is illegal or invalid, such provision shall be changed and interpreted 
so as to best accomplish the objectives of the original provision to the fullest extent allowed by law and the remaining provisions of this License Agreement shall 
remain in full force and effect. This License Agreement constitutes the final, complete and exclusive agreement between the parties with respect to the subject 
matter hereof and supersedes any prior or contemporaneous agreement. No modification, amendment or waiver of any provision of this License Agreement shall 
be effective unless in writing and signed by the party to be charged. 

By accepting this License Agreement, You agree to be bound by such License Terms and Conditions stated above. 

If You do not choose to be bound by the above License Terms and Conditions, please contact the party You purchased this license from for refund and return 
information relating to the non-acceptance of the License Terms and Conditions. 

GENERAL INTERNATIONAL VERSION, FOR USE IN THE UNITED STATES AND CANADA (EXCEPT QUEBEC) 
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FCC Statement 

Your PDS hardware generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with 
the instruction manual, may cause harmful interference to radio communications. 

The equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of FCC 
Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is 
operated in a commercial environment. 

When the equipment is operated in a residential area, it is likely to cause interference. In this case, the interference must be 
corrected at the operator's expense. 

User Instructions 

If the equipment does cause interference to radio or television reception, the user is encouraged to correct the interference 
by trying one or more of these measures: 

• Re-orient the receiving antenna. 

• Relocate the equipment with respect to the receiver. 

• Plug the equipment into a different outlet so that the equipment and receiver are on different branch circuits. 

Properly shielded and grounded cables and connectors must be used in order to meet FCC emission limits, when connecting 
the PDS equipment to your network. Appropriate cables are available from Intrusion Inc.'s authorized dealers. Intrusion Inc. 
is not responsible for any radio or television interference caused by using other than recommended cables or by unauthorized 
modifications to the equipment. It is the responsibility of the user to correct such interference. 

This equipment complies with the Underwriters Laboratories (UL) and is UL listed. 
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Compliance Statements 



The PDS hardware has been tested and is in compliance with the following standards. 



Emission Standards 








Radio Interference 


FCC Part 15 Class A 


US and Canada 




Power 


EN 55022 (CISPR22 Class A) 


European Community 


(CE) 


Electrostatic Discharge (ESD) 


EN 61000-4-2 


European Community 


(CE) 


Radiated Electromagnetic Field 


EN 61000-4-3 


European Community 


(CE) 


Fast Burst/Transient 


EN 61000-4-4 


European Community 


(CE) 


Electrical Power Line Surges 


EN 61000-4-5 


European Community 


(CE) 


Conducted Power and Signal Lines 


EN 61000-4-6 


European Community 


(CE) 


AC Voltage Dips and Interrupts 


EN 61000-4-11 


European Community 


(CE) 


Safety Standards 








UL 60950 


US 






CUL/CSA 22.2 NO 950-M93 


Canada 






EN-60950 


European Community (CE) 







Battery Replacement Caution 

Your appliance contains a processor that uses a small lithium battery to maintain the clock function. This battery should 
function for the life of the module and should never need to be replaced. If your appliance should ever need to be repaired, 
contact Intrusion Technical Services for factory repair. 



Caution The danger of explosion exists if the battery for an appliance is replaced incorrectly. Replace 
the battery with the same type of battery recommended by the manufacturer, or an equivalent type. 
Dispose of used batteries according to the manufacturer's instructions. 



Modem Caution 

Your appliance may contain a modem for out-of-band configuration and management. Conductor size of the 
telecommunication line cord is important. Suitable line cords are available for purchase everywhere 




Caution The modem must be connected with telecommunication line cord with wire size no less than 
26 AWG (0.128 mm 2 ). 
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About This Guide 



Guid6 Organization Intrusion provides this documentation to help you use the PDS Pilot software to stage 

and configure an appliance that is pre-loaded with application software. The 
documentation is designed to allow quick reference to product information. 



Audience 

This guide is intended for network administrators and other technical staff who need 
to install PDS appliances, stage appliances, make connections to network hardware, 
and configure appliances. It assumes that you have a basic understanding and a 
working knowledge of the following: 

• Linux and Microsoft Windows operating systems 

• System administration (including information security) 

• internet protocols (TCP, IP, UDP, etc.) 



Where to Find Information 

• Chapter 1, "Introduction" explains the capabilities and major features of the PDS 
Pilot software. 

• Chapter 2, "Staging" provides step-by-step procedures for using the PDS Pilot 
software to install the application software and initially configure (stage) the PDS 
product. 

• Chapter 3, "Configuration" provides step-by-step procedures for using the PDS 
Pilot software to configure and administer the application software on the PDS 
product. 

• Appendix A, "Software Recovery" explains how to restore the software on a PDS 
appliance to a known state. 

• Appendix B, "Building a Software Repository" describes creating a remote 
repository for PDS software. 

• Appendix C, "Using the Console Port" provides information about using the 
console (serial) port to access a command line for maintenance and 
administration. 

• Appendix D, "PCI Card Support" lists the PCI card types supported for optional 
PCI slots. 

• Appendix E, "Configuring VRRP" provides information about using the Virtual 
Router Redundancy Protocol. 
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• Appendix F, "Generating SNMP Traps" lists the PCI card types supported for 
optional PCI slots. 

• Appendix G, "Glossary of Terms and Abbreviations" provides definitions of the 
terminology and abbreviations used in this document. 

• Appendix H, "Upgrade Appliance to Latest Release" provides instructions for 
upgrading PDS Pilot. 

• Appendix I, "Upgrade PDS Pilot/Check Point to Latest Release"p rovides 
instructions for upgrading PDS Pilot. 

• Appendix J, "Useful Linux Diagnostic Tools" provides descriptions of some 
Linux command line programs that may be useful in troubleshooting network 
problems. 

• Appendix K, "Verifying Check Point Software Integrity" provides procedures that 
you can perform to ensure the integrity of the Check Point NG files on your PDS 
appliance. 



Online Intrusion This document is provided as a Portable Document Format (PDF) file that is read 

Documentation using the Adobe Acrobat™ Reader. Acrobat displays the Intrusion guide in full color 

and acts similar to an online help system. With the PDF guide, you can: 

• Control the size of the displayed information 

• Print all or a portion of the guide 

• Find a specific topic using full-text search procedure 

• Use bookmarks and hyperlinks to swiftly navigate among the pages. 



Note As you view the Intrusion documentation online, you will see text that is 
highlighted as Underscored Blue . This highlight indicates that the associated text is a 
hyperlink (active link) that "jumps" you to another portion of the document. Hyperlink 
text is found in the Table of Contents, the List of Figures, and the List of Tables. 
Hyperlinks are also found throughout the text in chapters. 



Setting Magnification for Acrobat 

To set the magnification for viewing the online guide, perform the following steps: 
Step 1 Press [Control] + [M] to display the Zoom To dialog box. 

Step 2 Type a value for the Magnification you want and click on OK. Acrobat 
displays the guide pages at the specified magnification. 



Viewing an Online Guide with Bookmarks 

To view bookmarks for the online guide, perform the following steps: 

Step 1 Choose the Show Bookmarks command from the Windows menu. The 
bookmarks display as an interactive table of contents. 

Step 2 Click on the bookmark for the guide section you want to view. Acrobat 
displays the page associated with the selected bookmark. 
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Printing the Online Guide 

To print the online guide, perform the following steps: 

Step 1 Choose File > Print or press [Control] + [P] to display the Print dialog 
box. 

Step 2 Select the printer and specify the number of copies to print. 

Step 3 Type the page numbers (starting and ending) in the From and To text 
fields. 

Step 4 Click on the Print button. 



Searching the Online Guide 

To search the online guide for a word or string of characters, perform the following 
steps: 

Step 1 Choose Edit >Find or press [Control] + [F] to display the Find dialog 
box. 

Step 2 Type the word (or words) to search for in the text field and click on the 

Find button. Acrobat displays the page on which the first instance of your 
search string is located. 

Step 3 If you want to find the next occurrence of the string, press 
[Control] + [G] . 



Technical Support F° r answers to your technical support questions or to suggest ways to improve your 

Intrusion product, please contact us at: 

Intrusion Technical Services Group 



Phone 1-888-637-7770 

FAX 1-972-234-4059 

E-mail help@intrusion.com 

Hours 8:00 AM - 6:00 PM (Central Time Zone), 

Monday through Friday 

Address 1101 E. Arapaho Road 

Richardson, TX 75081 

Web site www.intrusion.com 
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Key Information 



This guide uses typeface changes, symbols, and special icons to set apart information 
in a structured way that makes it easy for the user to read. 



Typeface and Symbol Changes 

The Intrusion documents contain procedures that use typeface changes and symbols 
as defined in Table 1 : 



Table 1 What Typeface Changes and Symbols Mean 



Typeface 
or Symbol 


Meaning in Paragraph Text 


Examples 


italics 


Used for: 

Document or software titles 
Filenames and directories 
New terms 

Words that require emphasis 
Variables included in command line 
formats 


Intel PRO/ '100+ Single Port Installation 
Guide. 

Network Interface Card (NIC) 

You must be root user to perform this. 


Bold 


Denotes graphical user interface (GUI) 
objects. For example, field names, button 
labels, radio buttons, etc. 


When the Security page displays, click on 
the Change Password button. 


[Alt]+[F] 


Keyboard keys are enclosed in square 
brackets and bold font. If the keys must be 
pressed simultaneously, a plus sign is used 
in the text. 


Press [Enter]. 

Press [Ctrl]+[Alt]+[Delete] to log on. 


<variable> 


Angle brackets are used to indicate a 
variable is included on a command line. 
The variable name shown in italics should 
be replaced with a string that the user 
should specify. 


rpm h t tp : / / <server> : <port> <path to 
/PILOT/> pds 


Labell/Label2 


Used to indicate a link, field, or other GUI 
object that toggles, or changes back and 
forth between two possible labels, 
depending on the last user action. 


Click on the appropriate link (Enable/ 
Disable). 


Bold fixed- 
width 


Identifies user input that must be 
typed exactly as shown. 


restore config -d 


Fixed-width 


Identifies system output, including 
error messages and informational 
messages that display. 


Press any key to continue 
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Special Information Icons 

This document presents Notes, Cautions, and Reminders to highlight information of 
direct importance to you: 




Note This symbol highlights special information that is pertinent to the primary 
discussion. This information is sufficiently important that it is set off from normal text 
and called to your attention. 




Important! This symbol identifies information that is critical to the operation or 
procedure and is necessary to prevent equipment damage (this appliance or connected 
network components) or loss of data. 



•g; Reminder This symbol means "Don 't forget! ". You may need to locate some 

required information or perform a prerequisite procedure before you do this task or 
you may need to perform another task after you finish this one. 
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Chapter 1 



Introduction 



PDS Pilot consists of the hardened Linux operating system, the Web-based 
management interface, optional system services, and hardware device drivers. The 
Web-based management interface is accessible from any Web browser, enabling 
management from any location. 

This guide provides procedural instructions to help you use the PDS Pilot software to 
stage, configure, and administer the applications that are pre-loaded on Intrusion 
security appliances. 



PDS Applications The SecureNet™ Sensors and PDS appliances can be used for a number of security and 

non-security applications. The applications currently supported and available for 
installation on the appliances include: 

• Check Point™ Software Technologies, Ltd. FireWall-1® — Enables enterprises to 
define and enforce a single, comprehensive Security Policy while providing full, 
transparent connectivity. Can be one of the following: 

-Fire Wall- 1 

- Fire Wall- 1 with Secure XL 

- Fire Wall- 1 Small Office NG FP3 

• Check Point VPN-1® — A powerful and secure Internet connectivity solution that 
lets enterprises deploy Virtual Private Networks (VPNs) to protect the privacy and 
integrity of business communications over the Internet. 
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Appliance Installation 



A detailed procedure for installing the PDS appliance hardware is provided in the 
Quick Start guide included in the package in which you receive the appliance. The 
Quick Start guide also contains general information about the staging and 
configuration of the PDS appliance and refers you to the appropriate chapters in this 
user guide for detailed instructions. 



Software License Keys 



Check Point Application 
Software Licenses 



Intrusion Application 
Software Licenses 



Before you stage and configure a PDS security appliance, you must request the license 
keys for the pre-loaded applications that you intend to install. 

To request a Check Point Fire Wall- 1 or VPN-1 license, go to the Check Point 
Licensing Center at the following World Wide Web address: 
http ://www. checkpoint, com 

You can contact the Intrusion License Administrator to get an Intrusion SecureNet 
Sensor license key in one of the following ways: 

• by going to our license key generation webpage: http ://www. intrusion. com/ 
support/snpkeygen.asp 

• by calling toll-free 1-888-637-7770 

• by sending an e-mail requesting a license key to the following e-mail address: 
help@intrusion.com 

If you plan to call the License Administrator, be prepared to provide the following 
information: 

• Name of your organization, company, or enterprise 

• Contact name 

• Telephone number 

• E-mail address 

• Serial number of appliance 

If you plan to send an e-mail, be sure to include the information listed above in the 
body of your e-mail. 

The SecureNet Sensor (formerly SecureNet Pro) license is a string of ASCII characters 
that must be entered exactly as provided. The following is an example of the format of 
the license key (each line ends with CR/LF): 

-- Start SecureNet PRO License -- 
Server-Serial: xxxxxxxx 
Username : xxxxxxxx 
Description: xxxxxxxx 
Console-Seriall xxxxxxxx 
Console -Serial2 xxxxxxxx 
Expire-Date: xxxxxxxx 

Signature : xxxxxxxxxxxxxxxxxxxxxxxxxxxx 
-- End SecureNet PRO License -- 
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Chapter 2 



Staging 

This chapter provides the procedures for setting up your appliance for operation. 




Note The procedures in this chapter are for staging the appliance using PDS Pilot 
software version 2.7. If your appliance has an earlier version of the PDS Pilot 
software, we recommend that you update your PDS Pilot software to the latest version. 
Instructions for updating your software are provided in Appendix H of this user guide. 



Staging includes connecting to the PDS Pilot through a pre-defined Ethernet port to 
install applications and services, as well as defining the network address that is 
necessary to communicate with the PDS Pilot through a remote web browser. 




Important! Because some tasks are optional and some prompts require you to 
respond quickly (before a default is processed), we recommend reading all of the 
procedures in this chapter before you begin performing the steps. 



Setting Up for 
Staging 



To stage the appliance, you must use an external personal computer (PC) running a 
web browser and log into the appliance's secure website on the pre-defined IP address 
(10.1.2.2). The PC must have Netscape Navigator 4.0 (or higher) or Microsoft Internet 
Explorer 4.0 (or higher) installed, and JavaScript must be enabled. 




Note The external PC that you connect to the appliance must have its Ethernet port 
set on the same subnetwork as the appliance's secure website. The secure website is 
on 10.1.2.2 with a subnet mask of 255.0.0.0, so the external PC's Ethernet port must 
be on 10. 1.2.x, where x is any digit 0-9, except 2. 




Note The illustrations used in this guide were created from screens displayed on a 
Microsoft Windows-based PC running Microsoft Internet Explorer. If you use 
Netscape to stage and configure your appliance, the appearance of the PDS Pilot pages 
will be slightly different. 
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To connect the external PC to the appliance, perform the following steps: 

Step 1 If necessary, power on the appliance. On hardware that has a Power switch, 
set the Power switch to ON (1). On hardware without a Power switch, 
unplug the power cord, wait a few seconds, and then plug the power cord 
back into the power outlet. 

Step 2 Connect an Ethernet crossover cable to the E 1 port on the appliance and to 
the Ethernet port of the PC running the web browser. 



Perform Staging 



To stage the appliance using the PDS Pilot, perform the following steps: 
Step 1 On the external PC's web browser, enter the following URL: 
https://10.1.2.2 

and then press [Enter]. A series of new certificate dialogs display. Read and 
accept each dialog as requested to continue. 

The PDS Pilot Login page displays. See Figure 2-1 . 





//////////// 



INTRUSION 

II\IC. 



'*'//////////////,/,„ 



(•<•-«. 





Submit 




Figure 2-1 PDS Pilot Login Page 
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If you are unable to connect to the PDS Pilot Login page, check that you have 
correctly connected an operational crossover cable and check that you have 
set an appropriate address for the PC as described in " Setting Up for 
Staging". 

Step 2 Log in to the appliance using the default username "intrusion" and the 
default password "password", and then click on the Submit button. 

The Software License Agreement page displays (see Figure 2-2) . 



PLEASE READ CAREFULLY BEFORE CONTINUING WITH THIS INSTALLATION. AT THE END 
OF THE LICENSE TERHS AND CONDITIONS STATED BELOW, YOU WILL BE ASKED TO ACCEPT 
OR REJECT SUCH TERHS. BY INDICATING YOUR ACCEPTANCE, YOU AGREE TO BE BOUND 
BY THE TERHS OF THIS LICENSE AGREEHENT. 

This is a legal agreement between the end user ("You") and Intrusion.com, 
Inc., its affiliates and subsidiaries (collectively "INTRUSI0N.COM"). This 
Agreement may be superseded by any written agreement signed by both You and 
INTRUSION. C OH. This Agreement is part of a package (the "Package") that may 
also include a sealed CD-ROM disk, sealed diskettes (collectively, the 
"Disk") or a downloaded installation package from the INTRUSI0N.COM web site 
and certain written materials delivered to You in hard copy or electronic 
format (the "INTRUSI0N.COM documentation"). 

GRANT OF LICENSE. Subject to the terms and conditions of this License 
Agreement, INTRUSI0N.COM grants You a non-exclusive, non-transferable 
license, to use the following INTRUSI0N.COM software program (the "SOFTWARE") 
in accordance with the instructions contained in the INTRUSI0N.COM 
documentation. INTRUSI0N.COM software can be installed on or assess 
computers or devices up to the total number of copies authorized for each 



ACCEPT 



Log Out 



Figure 2-2 Software License Agreement Page 




Step 3 Read the software license agreement carefully, and if you agree to the 
terms specified therein, click on the ACCEPT button to continue. 

Note The PDS 1110 and PDS 2110 can be used for the Check Point VPN-1/ 
Fire Wall- 1 SmallOffice NG only, and the software is pre-loaded and installed on those 
appliances. The Application Selection page does not display. If you are staging a PDS 
1110 or PDS 2110 appliance, skip to Step 9 on page 2-1 . 




The Application Selection page displays (see Figure 2-3) . The Application 
Selection page includes buttons that you can click to install the 
applications listed. 

The Application Selection page lets you install the applications you want 
to use with the appliance. 

Note Figure 2-3 is an example of the Application Selection page. The applications 
shown on the page vary by appliance. 
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Select the application you want to install, 
then click the Install Application button below. 
Please Note: Installation oj an application may take a Jew 



f* Install pdshlp-NG-b as e 

Installs Checkpoint NG VPN- 1 /Fire Wall- 1 



C Install pdshlp-NGPP -base 

Installs Check Point NG VPN- 1/FireWall- 1 with Performance Pack 

r Install pdshlp-SNP_Con (Requires KVM) 
Installs SecureNet Pro Console 

r Install pdshlp-SNP_EngSig 

Installs SecureNet Pro Sensor; Installs Signatures 




?w minutes. 



r Install pdshlp-SNP_EngSigCon (Requires KVM) 

Installs SecureNet Pro Sensor and Console; Installs Signatures 

r Install pdshlp-SN_WBI 

Installs SecureNet Web Browser Interface, Sensor and Signatures 



Skip Application Installation 



Log Out 




Figure 2-3 Application Selection Page 




Note Check Point Performance Pack NG FP3 significantly improves the performance 
of VPN- 1 /Fire Wall- 1 NG FP3. The PDS 7315 with dual processors, 1GB of RAM, 
and gigabit network interface cards is ideally suited for Performance Pack system 
requirements. The PDS 2000 series and PDS 5000 series appliances also gain some 
performance advantages at an added cost of memory per connection. Performance 
Pack is enabled only with a Check Point Performance Pack or Unlimited module 
license. For more information about Check Point Performance Pack, refer to the Check 
Point Performance Pack User Guide. 



gfr Reminder Remember that the SecureNet Linux Console application can be 

installed only on an appliance that has connections for a keyboard, a video monitor, 
and a mouse (KVM). 
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Step 4 Click on the radio button for the application that you want to install and 
then click on the Install Application button to install your selection. Then 
go to Step 5 . 

-OH- 
Click on the Skip Application Installation button. A confirmation 
message displays confirming that you want to skip installing an 
application. Click on OK to confirm acceptance. Then go to Step 7 . 

Step 5 If you chose to install an application, wait for the application to install. 
Installation may take a few minutes. 

When the installation is complete, the Application Selection page 
redisplays with a message that indicates your selected application is 
installed. Figure 2-4 shows a successful result message for a SecureNet 
Sensor installation. 



pdsMp-SNP_EngSigCon installed successfully 



Applications 



pdshlp-SNPEngSigCon has been installed 




Proceed to Next Stage 



Figure 2-4 Application Installation Results Page 

Figure 2-5 shows a successful result message for a PDS installation. 



pdshlp-NGPP-base installed successfully 



Applications 



• pdshlp-NGPP-base has been installed. 



Proceed to Next Stage 



Figure 2-5 Application Installation Results Page 
Step 6 Click on the Proceed to Next Stage button. 
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Step 7 Verify that the Services Selection page displays. See Figure 2-6 . 



Install Services 



Click the checkboxes for the service(s) you wish to install. 
Then click the Install Service(s) button below. 

r~ Install callback_icom 1.0.0-5 

A set of Intrusion Inc. policies for mgetty. 

r Install dhcp l:2.0pl5-4pds 

A DHCP (Dynamic Host Configuration Protocol) server and relay 



Services 



\~ Install keepalived 0.6\3-2pds 

The KeepAlive/VRRP Daemon 

r Install ntp 4. 0. 99k- 1 5pds 

Synchronizes system time using the Network Time Protocol (NTP). 

V Install ucd-snmp 4.2.3-2pds 

A collection of SNMP protocol tools. 

r~ Install xinetd 2.3.3-1. lpds 

A secure replacement for inetd. 

V Install zebra 0.91a-4pds 

Routing daemon 




Install Service(s) 




Figure 2-6 Services Selection Page 




Note For more information about the services, refer to the " Glossary of Terms and 
Abbreviations ". You can install any of the services listed on the Service Selection page 
after staging is complete by clicking on the Package Management link of the 
Navigation Pane. 




Note If you installed the SecureNet Linux Console application, the X- Windows 
service, pds2-XDM, was automatically installed for you and Ethernet port eth3 
(hardware port E3) was disabled automatically. 



Step 8 Click on the checkboxes for the services that you want to install, and then 
click on the Install Service(s) button to install your selections. The 
services that you selected install. Then go to Step 9 . 

--OR-- 

Click on the Skip Service(s) Installation button. A confirmation message 
displays confirming that you want to skip installing a service. Click on OK 
to confirm acceptance. 
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Step 9 Verify that the System Information page shown in Figure 2-7 displays. 




System Information 



System Name: 




Location: 


1 1 






System Description: 




Contact Name: 






Apply Changes 



Proceed to Next Stage 



Figure 2-7 System Information Page 

Step 10 If you want to accept the values that are currently displayed in the system 
information fields, go to Step 13 . 

--OR-- 

Change the system information fields as needed. 

a. In the System Name field, type the name that identifies the system. 

b. In the Location field, type the name of the place where the system is 
located. 

c. In the System Description field, type a summary that describes the type 
or purpose of the system. 

d. In the Contact Name field, type the name and contact information for 
the person who will administer and maintain the system. 

Step 11 When you are finished entering system information, click on the Apply 
Changes button to save the system information you specified. 

The System Information Results message displays. See Figure 2-8 . 



1 



System information set successfully 



Figure 2-8 System Information Results Message 
Step 12 Go to Step 14 . 

Step 13 Click on the Proceed to Next Stage button. A confirmation message 

displays confirming that you want to skip setting system information. Click 
on OK to confirm acceptance. 
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Step 14 Verify that the System Time page shown in Figure 2-9 displays. 




Time on local machine 



i 1 0:47:53 A.M. 



PDS System Time 

Note: if you advance the system time more than 5 minutes, 
you will be forced to log in again 



Timezone 


|UTC J 


Hour 




Minute 




Day of Month 1 1 8 jj 


Month 


|Apr J 


Year 


2002 2. 





Apply Changes | Accept Defaults | 



Figure 2-9 System Time Page 

Step 15 If you want to accept the values that are currently displayed in the system 
time fields, go to Step 18 . 

--OR-- 




Change the system time fields as needed. 

a. In the Timezone field, select the time zone type. 

b. In the Hour field, select the hour portion of the current time. 

c. In the Minute field, select the minutes portion of the current time. 

d. In the Day of Month field, select the current date. 

e. In the Month field, select the current month. 

f. In the Year field, select the current year. 

Step 16 When you are finished changing the system time fields, click on the Apply 
Changes button to apply the system time information you specified. 

Note If you set the time forward more than your user timeout value, you will be forced 
to log in again. When you log in again, you are returned to this point in the staging 
process. 
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The web page refreshes and the following message displays: 



System tune has been changed from: Thu Apr 18 1 1:47:16 EDT 2002 



Figure 2-10 System Time Changed Message 
Step 17 Goto Step 19 . 

Step 18 Click on the Accept Defaults button to continue. A confirmation message 
displays confirming that you want to skip setting the system time. Click on 
OK to confirm acceptance. 
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Step 19 Verify that the Initial Security page displays. See Figure 2-11 . 



SSH Boot Status: SSH will start on boot 



Disable SSH on boot 



Remote Management Status: Remote Management Fort disabled 

Enable Remote Management Port | 

Passwordless Single User Login Status: Passwnrdless single user login disabled 

Enable passwordless single user login 



Change GUI Admin Us ername/Pas sword 





Update 



New Usemame: 
New Password: | 
Confirm Password: j 

Passwords must be a minimum of 6 characters and a maximum of 15 characters in 
length. Special characters are permitted in any field of the password. 

Change ROOT Password: 



Change Password 



New Password: 
Confirm Password: 

Passwords must be a minimum of 6 characters and a maximum of IS characters in 
length. Special characters are permitted in any field of the password. 

Generate New SSL Certificate 




Figure 2-11 Initial Security Page 




Note To configure Intrusion SecureNet Sensor software or Check Point VPN-1/ 
Fire Wall- 1 software, SSH capabilities must be enabled. Use SSH through in-band 
access. By enabling SSH to start at boot, you can ensure that SSH capabilities are 
available. 
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The upper pane of the Initial Security page displays the current state of the 
Secure Shell boot status. 




The second pane lets you specify whether you want to enable the Remote 
Management Port. The Remote Management Port is reserved for future 
use. 

The third pane lets you disable password protection in "single user mode." 
The normal operating mode (or "run level") for the PDS is "multi-user 
mode". Without special operator intervention, the PDS boots up in this 
mode. However, you can direct the PDS to boot up in a special "single user 
mode" that you can use to troubleshoot and resolve various problems. 

By default, single user mode on the PDS is password-protected and you are 
required to enter the root password to access the command line. This 
default behavior is implemented for security reasons. Removing password 
protection of single user mode lets you access the command line locally 
without entering the password. 

The fourth pane lets you change the administrator's username and 
password for the PDS Pilot. Passwords must be a minimum of six 
alphanumeric characters and a maximum of 1 5 characters in length. 
Special characters are permitted in the password. 

The fifth pane of the Administration page lets you change the password for 
the Linux root superuser. 

The sixth pane of the Initial Security page lets you generate a new SSL 
certificate. 

Step 20 To change the Secure Shell boot status, click on the Enable/Disable SSH 
on boot button (the name of the button changes with the status). 

The Secure Shell boot status changes to match your selection and the text 
on the button changes. 

Step 21 To change the Remote Management port status, click on the Enable/ 

Disable Remote Management Port button (the name of the button changes 
with the status). 

The Remote Management Port status changes to match your selection and 
the text on the button changes. 

Step 22 To disable/enable the requirement to use a password in "single user mode", 
click on the Enable/Disable passwordless single user login button. 

The Login Status field and the button title change to reflect your selection. 

Step 23 To change the administrator's username for the PDS Pilot, type a unique 
name for the PDS Pilot administrator account in the New Username field. 

Note The PDS Pilot administrator's password must be a minimum of six 
alphanumeric characters and a maximum of 15 characters in length. Special 
characters are permitted in any field of the password. To enhance the security of the 
password, you can use a mix of uppercase and lowercase characters. The password 
fields display all characters as asterisks to prevent inadvertent disclosure. 
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Step 24 To change the administrator's username for the PDS Pilot, use the 

guidelines noted above and type a unique password for the administrator 
account in the New Password field. 



Step 25 In the Confirm Password field, type the password again exactly as you 
typed it in the New Password field. 

Step 26 Click on the Update button. 




Note The Linux root password must be at least eight characters long. To enhance the 
security of the password, you should use more than eight alphanumeric characters with 
a mix of uppercase and lowercase characters. The password fields display all 
characters as asterisks to prevent inadvertent disclosure. 



Step 27 To change the password for the Linux root superuser, use the guidelines 
noted above and type a unique password for the root account in the New 
Password field. 

Step 28 In the Confirm Password field, type the password again exactly as you 
typed it in the New Password field. 

Step 29 Click on the Change Password button. 




Note The PDS Pilot has a default Secure Socket Layer (SSL) certificate for securing 
the connection between the PDS Pilot and your Web browser. You can create a new 
certificate with your specific information. 



Step 30 To generate a new SSL certificate, in the Generate New SSL Certificate 
pane (bottom of Figure 2-11 ), type your specific information. Note that all 
fields are required. 

Step 31 In the Company field, type the name of the company to be associated with 
this certificate. 

Step 32 In the Division field, type the unit or department of the company associated 
with the certificate. 

Step 33 In the City field, type the city in which the company associated with the 
certificate is located. 

Step 34 In the State field, type the state in which the company associated with the 
certificate is located. 

Step 35 In the Country field, type the country in which the company associated 
with the certificate is located. 

Step 36 In the Machine field, type the host name of the equipment for which the 
certificate is being generated. 

Step 37 In the Contact field, type the name of the person requesting the generation 
of the certificate. 

Step 38 When you are finished entering the information in the form, click on the 
Generate button to generate the new certificate. 

Step 39 When you have finished making changes on the Initial Security page, click 
on the Proceed to Next Page button. 
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The Initial Network Settings page displays. See Figure 2-12 . 



1 60.86.1 1.1 



Default Gateway: 
Current Hostname: 



Change IP address for ethl 1 60.86.1 1.81 



|pil24d 



Change Netmask for ethl: 255. 255. 255.0 



Apply Changes 




Accept Current Settings 



Figure 2-12 Initial Network Settings Page 

Step 40 If you want to accept the values that are currently displayed in the Initial 
Network Settings fields, go to Step 42 . 

--OR-- 

Change the initial networks settings fields as needed. 

a. In the Default Gateway field, type the hostname or IP address of the 
default gateway for the appliance in dotted quad format. 

b. In the Current Hostname field, type the hostname that you want to 
assign to the appliance. 

c. In the Change IP Address for ethl field, type the new IP address for 
the appliance in dotted quad format. 

d. In the Change Netmask for ethl field, type the new netmask for the 
appliance in dotted quad format. 

Step 41 When you are finished changing the initial network settings, click on the 
Apply Changes button. 

The Initial Network Settings results message displays. See Figure 2-13 . 



Bootip address for ethl set successfully 
Boot netmask for ethl set successfully 
Hostname set successfully 
Default gateway set successfully 



Figure 2-13 Initial Network Settings Results Message 
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Step 42 If your appliance includes a modem and you installed the callback icom 
service, verify that the Modem User Data Setup page shown in Figure 2-14 
displays. 



Change Password for 'modemuser' account 



Current 
Password: 

New 

Password: 

Confirm 

New Password: 





Add a new Call-back Number: 




Phone Number: 




Valid Call-back Numbers: 



Phone Number 


Delete? 


8775551212 


r 



Delete Nurnber(s) 



Reset 



Figure 2-14 Modem User Data Setup Page 





Note If your appliance does not include a modem, or if it has a modem but you did 
not install the callback service, the page shown in Figure 2-14 does not display Skip 
to Step 51 on page 2-15 . 

The Modem Data Setup page lets you change the password for the modem user 
account, add or delete Call-back Numbers, and specify a country code for an appliance 
that includes the MT3334SMI type modem. 

Note Entering modemuser account information during staging is optional. If you 
would prefer to enter the information after the appliance has been staged, skip to Step 
50 on page 2-15 . 

Step 43 To use the Change Password for 'modemuser' account: pane to change 
the password, type the current password into the Current Password field. 
(The factory-default password is "intrusion".) 

Step 44 Type the new password into the New Password field. Passwords must be a 
minimum of six alphanumeric characters and a maximum of 15 characters 
in length. Special characters are permitted in any field of the password. 

Step 45 Type the new password again (exactly as you typed it in the New Password 
field) into the Confirm New Password field. 
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Step 46 Click on the Change button to replace the previous password with the new 
password you specified. 

Step 47 Use the Add a New Call-back Number pane to specify a Call-back 

Number for the list of numbers. Type the Call-back number in the Phone 
Number: field. Click on the Add Number button to save the Call-back 
number. 




Note When you use the modemuser account to dial into the appliance and the 
appropriate script is run, the modem prompts you for a call-back number. The 
modem checks for the call-back number you entered in the list of call-back numbers. 
If the number is found in the list, the modem hangs up and calls you back at the 
specified number, enabling you to manage the appliance from a command line. 



Step 48 Use the Valid Call-back Numbers: pane to delete previously specified 
Call-back numbers. Click on the checkbox next to the Call-back number 
you want to delete. Click on the Delete Number(s) button to delete the 
Call-back number from the list. 

Step 49 To use the Modem Type: pane to specify the Country Code to be used with 
Call-back numbers for an MT3334SMI modem, click on the pull-down and 
select the country from which calls will originate. Click on the Update 
Country Code button to change the Country Code for numbers. 

Step 50 When you have made all the necessary changes to the modem information 
on the Modem Data Setup page, click on the PROCEED button to 
continue. 

Step 51 Verify that the Staging Complete page displays (see Figure 2-15) . 



Your PDS has been configured. 
The system must now reboot to apply your configuration. 
Please click 'PROCEED' to reboot. 



PROCEED 




Log Out 




Figure 2-15 Staging Complete Page 
Step 52 Click on the PROCEED button to acknowledge the completion of staging. 
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The system reboots and the Reboot message shown in Figure 2-16 displays. 

System will now reboot. This may take several minutes. 



Wait for system to finish rebooting before logging back in. 
Return to login screen 



Figure 2-16 Reboot Message 

Step 53 Wait for the system to reboot and then click on the Return to login screen 

link. 




Note If you changed the IP address during staging, you may get the message 
HTTP 500 Cannot find server. If this occurs, enter the following URL on 
your browser: https://</p address> where ip address is the new IP address that you 
specified. If you did not change the IP address during staging, wait a few seconds 
and then click on the Reload or Refresh button on your browser. 



Step 54 When the PDS Pilot Login page displays, log in to the system again to 
verify that the staging process was successful. 




Reminder Remember, if you changed the PDS Pilot administrator's username or 
password, use the new ones. 
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The PDS Pilot Main page displays. See Figure 2-17 . 



4U> 



INTRUSION 

INC 



Intrusion PDS Pilot 2.7(X) 




PDS 



Network Configuration 
Logging Configuration 
System Status/Control 
Application Control 
Package Management 
Log Out 



Figure 2-17 PDS Pilot Main Page 



You can easily return to this page by clicking on the Home link that 
appears on many of the pages that display. 

Step 55 Click on the Log Out link. 

The PDS Pilot Login page displays. See Figure 2-1 . 
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Connect to Your 
Networks 



To dismantle the initial setup and connect the appliance to your internal and external 
networks, perform the following steps: 



Step 1 If necessary, log out of the PDS Pilot. 

Step 2 Power off the appliance. On hardware that has a Power switch, set the 

Power switch to OFF (0). On hardware without a Power switch, unplug the 
power cord from the power outlet. 

Step 3 Remove the crossover cable from the appliance and the client PC and set it 
aside. 

Step 4 Connect the Twisted Pair Ethernet (TPE) network cables to the appropriate 
Ethernet ports on the appliance. 

Note For 100BaseTX, your network cable must be Category 5, twisted-pair wiring. 

For lOBaseT, you can use Category 3, 4, or 5 twisted-pair wiring. If you are using the 
appliance in a residential environment, you must use a Category 5 cable. 



Step 5 Power on the appliance. On hardware that has a Power switch, set the Power 
switch to ON (1). On hardware without a Power switch, plug the power cord 
into the power outlet. 
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Chapter 3 



Configuration 

This chapter provides the procedures for configuring your appliance. You can 
configure the appliance after it has been staged by logging into the unit's secure 
website and entering the appropriate parameters for your applications. 

If your appliance has not been staged, you will not be able to access the appliance at 
the level needed to perform these procedures. Refer to Chapter 2 of this user guide for 
instructions for staging the appliance. 




Note The procedures in this chapter are for configuring PDS Pilot version 2.7. If your 
appliance has an earlier version of PDS Pilot software, we recommend that you update 
your PDS Pilot software to the latest version. Instructions for updating your software 
are provided in Appendix H and Appendix I of this user guide. 



The procedures in this chapter can be randomly accessed. If you are reading this guide 
on hardcopy, use the Table of Contents to help you locate the procedure you want to 
perform. If you are reading this guide using a PDF reader, you can use the Table of 
Contents, use the search capabilities of the PDF reader, or use the PDF bookmarks in 
the reader's Navigation pane to find topics of interest. 
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Logging In tO PDS To log in to the appliance's secure website, perform the following steps: 

P'^Ot §j- e p j Q n a weD b rowse r, en ter the URL assigned to the Ethernet port ethl on 

your appliance (https:/ ' l<ipaddress>) and then press [Enter]. 

The PDS Pilot Login page displays. See Figure 3-1 . 





INTRUSION 

ilMC. 

.MM///////,//,,,,,, 



User Name! 




Pas swo rcl;| |[ 
P Intrusion PDS Pilot 
(- Intrusion SecureNet WBI 

Submit Reset 




Figure 3-1 PDS Pilot Login Page 




This Login page shows radio buttons for Intrusion PDS Pilot and Intrusion 
SecureNet WBI (Web Browser Interface). These options appear only if you 
have installed the SecureNet Web Browser Interface on the appliance. By 
default, the Intrusion PDS Pilot is already selected, so there is no action 
required on these elements to log in to Intrusion PDS Pilot. 

Step 2 Log in to the appliance using your administrator username and password, 
and then click on the Submit button. 

Note Remember that after you log in and begin configuring the appliance, you will 
automatically be logged out if the interface is left idle for the period specified as the 
timeout (10 minutes by default). Refer to "View/Edit Management Tool Users" for 
more information about specifying the timeout value. 
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The PDS Pilot Main page displays. See Figure 3-2 . 



INTRUSION 

ilMC 



Intrusion PDS Pilot 2.7(X) 




PDS 



Network Configuration 
Logging Configuration 
System Status/Control 
Application Control 
Package Management 
Log Out 



Figure 3-2 PDS Pilot Main Page 



The Navigation Bar (in the left frame of the web page) displays links to the 
major categories of configuration tools provided in the PDS Pilot. This 
chapter is arranged in the order in which the functions appear in the 
Navigation Bar. By clicking on a link, you can display a page with an array 
of functions depicted by the use of tabs. By clicking on the tabs, you can 
see the other pages under that major category. 

When you are finished with a configuration session, you can click on the 
Log Out link to log out of the PDS Pilot. 
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Network 
Configuration 



The Network Configuration page contains four tabs that are used to configure the 
appliance: 

• Network Interfaces — Used to configure the appliance's Ethernet ports. 

• Routing — Used to configure the static routes and the default gateway. 

• Host/IP Configuration — Used to change the hostname for your appliance, edit 
the Hosts file, and edit Domain Name Service (DNS) information. 

• View/Edit ARP Cache — Used to manipulate the Address Resolution Protocol 
(ARP) cache. 



Viewing/Editing Ethernet 
Ports 



Your appliance comes with three 10/100-Mbps Ethernet ports. These are the "E" ports 
of the appliance. 




Note Appliances sold for Intrusion SecureNet Sensor applications have port E3 
disabled. 

To view the appliance's Ethernet ports, perform the following steps: 

Step 1 If necessary, click on the Network Configuration link on the Navigation 
Bar (shown in Figure 3-2) and then click on the Network Interfaces tab. 

The Network Interfaces page displays. See Figure 3-3 . 



Network Interfaces 



Network Interfaces 



1 


Routin 







IP Configuration View.EcJit ARP Ca 



Interface Status Tue Jun 26 13:07:50 EDT 2001 



Device 


Type 


Current 
IP Address 


Current 
Status 


Link 


Speed 


Duplex 




ettil 


Ethernet 


10.1.2.2 


UP 


YES 


lOObaseTx 


Full 


Disable 


Add Virtual 


eth2 


ethemet 




DOWN 


NO 






Enable 


Add Virtual 


eth3 


ethemet 




UP 


YES 


lObaseT 


Half 


[CLIENT] 


Add Virtual 


lo 


loopback 


127.0.0.1 


UP 













Refresh this list 



Home 



Figure 3-3 Network Interfaces Page 
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This page displays the current actual and virtual Ethernet ports for the 
system. Initially, only the actual ports (ethl, eth2, and eth3) are 
configured. The ethl port corresponds to the hardware port El; it has an 
initial IP address of 10. 1.2.2 that is used during staging of the appliance. (By 
now, you have probably changed the IP address). The eth2 port 
corresponds to hardware port E2 and the eth3 port corresponds to hardware 
port E3. 

Note For appliances equipped with PCI slots that have supported PCI cards installed, 
additional devices will display on the Network Interfaces page. A device link with a 
name in the format card_type_wan represents a valid PCI card installed in a PCI slot 
of an appliance. Click on the device link to edit any settings for the card. For 
information about PCI card support for security appliances, refer to Appendix D, "PCI 
Card Support" . 






Notice that you can also use this page to determine which port is supporting 
the PDS Pilot client. Note that eth3 port is labeled [CLIENT] in 
Figure 3-3 . 

The links on the far right side of this page let you add/delete a virtual 
interface and enable/disable an interface. 

Caution Unless you have a specific reason for using a virtual interface, you should 
avoid using it because some applications do not handle virtual interfaces well. 

Step 2 To add a virtual interface to an active interface, click on the Add Virtual 
link to the right of that interface. 

Note You must specify the IP Address and Netmask for both the current interface and 
the boot interface before you can activate a virtual interface. 

A virtual interface displays in the table directly beneath the active interface 
and the Add Virtual link changes to Delete Virtual. 

Step 3 To delete a virtual interface, click on the Delete Virtual link to the right of 
that interface. 

The virtual interface disappears from the table and the Delete Virtual link 
changes back to Add Virtual. 

Note Because you are currently using it, the port labeled [CLIENT] cannot be 
disabled. 

Step 4 To change a port's status (UP/DOWN), click on the Enable/Disable link to 
the right of that interface (the name of the button changes with the status). 

Step 5 To edit an existing Ethernet interface (active or virtual), click on its link in 
the Device column. 
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The Edit Interface page for the selected interface displays. See Figure 3-4 . 



Interface: ethl 



J Network Interfaces | J J 

)evice: ethl Type: ethemet HW Address: 00:00:52:55:A2:AA 






IP Address 


Netmask 


Network 
Address 


Current 


|1 60.86.1 4.81 


£55.255.255.0 


160.86.14.0 










Boot 


|1 60.86.1 4.81 


[255.255.255.0 


160.86.14.0 







Speed/Duplex: 



Activate on Boot?: 




| Negotiated 
P Yes 

r No 



"3] B o ot Pr oto c ol: 

Synch Boot with Current?: 



Step 6 



Step 7 



Step 8 



Update 



Reset 




Figure 3-4 Edit Interface Page 

This page displays the current and boot values for the Ethernet interface 
using editable text fields and selection buttons. The Current fields let you 
view/edit the current IP address and netmask for the interface. 

The Boot fields let you view/edit the IP address and netmask for the 
interface to be assigned to the port upon booting the appliance (if the port 
is set to be activated on reboot). 

The Speed/Duplex field lets you specify the speed of transmission and the 
direction (such as half duplex or full duplex). 

The drop-down Boot Protocol field lets you select the boot protocol to be 
used. 

The Activate on Boot radio buttons let you choose whether to activate the 
interface upon rebooting of the appliance. 

To change the information in the Current IP Address and Netmask fields, 
edit the text using normal methods. Make sure that the fields are correctly 
entered in dotted quad format. 

To specify the Boot IP Address and Netmask fields, enter or edit the text 
in the fields using normal methods. Make sure that the fields are correctly 
entered in dotted quad format. 

To change the Duplex/Speed setting for the interface, click on the arrow to 
the right of the Duplex/Speed field and select the appropriate Speed and 
Duplex setting for the interface. 
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Step 9 To specify the protocol to be used upon rebooting of the appliance (if the 
port is set to be activated on reboot), click in the Boot Protocol field and 
then select the appropriate boot protocol from the drop-down list. The 
default is none; the other selection is dhcp. 

Step 10 To specify whether the interface is to be activated when the appliance 

reboots, select the appropriate Activate on Boot radio button, Yes or No. 

Step 11 To specify whether the interface is to synchronize the Boot IP Address and 
Netmask fields with the Current IP Address and Netmask fields, select 
the appropriate Synch Boot with Current radio button, Yes or No. 

Step 12 When you are finished making changes to the boot configuration, click on 
the Update button. 
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Configuring Routing To configure routing, perform the following steps: 

Step 1 If necessary, click on the Network Configuration link on the Navigation 
Bar and then click on the Routing tab. 

The Routing page displays. See Figure 3-5 . 



Routing 




Current Kernel Routing Table: 



Type 


Destination 




Gateway 


i 

Netmask 


Device 


net 


192.168.13.0 


0.0.0.0 


255.255.0.0 


eth3 


net 


10.0.0.0 


0.0.0.0 


255.0.0.0 


ethl 


net 


127.0.0.0 


0.0.0.0 


255.0.0.0 


lo 


net 


0.0.0.0 


192.168.13.1 


0.0.0.0 


eth3 



Home 




Figure 3-5 Routing Page 

This page contains two panes. The upper pane lets you change the Default 
Gateway and view the routing table. The lower pane displays the current 
kernel routing table. 

Step 2 To enter/change the Default Gateway, type (or edit) the value in the Default 
Gateway field and then click on the Change button on the right of the field. 

Step 3 To view routing information, click on View/Edit Static Routes on the 

Routing page (see Figure 3-5) . 
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The Edit/View Static Routes page displays. See Figure 3-6 . 



Edit/View Static Routes 



Routing 



Type 


Destination 


Gateway 


Netmask 


Device 


Delete? 


Save? 


net 


160.86.13.0 


0.0.0.0 


255.255.255.0 


ethl 


r 


_T_ 


net 


127.0.0.0 


0.0.0.0 


255.0.0.0 


lo 




net 


0.0.0.0 


160.86.13.1 


0.0.0.0 


ethl 




- 1 


Submit 


Refresh 


Reset 



Add a Static Route: 



| ; 

Device 


Type 


Net/Host IP 


Gateway 


Netmask (net only) 


ethl jj 


| host 


1 


II 


1 


Both Tables Sove Only Kernel Only Reset 





Saved Static Routes: 



Type 


Destination 


Gateway 


Netmask 


Device 


Delete? 


net 


160.86.13.0 


0.0.0.0 


255.255.^5.0 


ethl 


r 


127.0.0.0 


0.0.0.0 


255.0.0.0 


lo 


r 



Submit 



Reset 



Figure 3-6 Edit/View Static Routes Page 

The Edit/View Static Routes page has three panes. 

The upper pane displays the kernel routing table that contains the currently 
defined static routes for the appliance. This pane lets you specify whether 
a static route entry will be saved so that the route definition remains in the 
static route table after the appliance reboots, or whether a static route will 
be deleted after reboot. 

The middle pane lets you add a static route to the table. 

If no static routes have been saved, the lower pane displays the message No 
Static Routes are saved instead of the table of routes. If you previously 
clicked on a checkbox to save any static routes, the lower pane will include 
a table of those static routes. 
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Step 4 To use the Kernel Routing Table pane to delete a static route, click on the 
checkbox in the Delete? column for the route entry you want to delete. 
Click on the Submit button directly under the Kernel Routing Table pane 
to have the route deleted at the next appliance reboot. 

Step 5 To use the Kernel Routing Table pane to save a static route, click on the 
checkbox in the Save? column for the route entry you want to save. Saving 
the route makes it available after reboots and causes it to display in a static 
routes table in the lower pane of the page. Click on the Submit button 
directly under the Kernel Routing Table pane to ensure that the route will 
be saved after the next appliance reboot. 

Note The Device field identifies an interface on the same subnet as the gateway 
address for the route. 



Step 6 To add a static route, click on the arrow for the Device drop-down field and 
select the port for which you want to add a static route. 

Step 7 Click on the arrow for the Type drop-down field and select whether the 
static route is for a network address or a host address. 

Step 8 In the Net/Host IP field, type the IP address in dotted quad format. 

Step 9 In the Gateway field, type the IP address for the gateway for this static 
route in dotted quad format. 

Step 10 If the static route is for a Host address, skip this step. If the static route is 
for a network address, type the netmask in the Netmask field. 

Step 11 If you only want to save the new static route, click on the Save Only button 
--OR-- 

If you only want to add the new static route to the Kernel Routing Table, 
click on the Kernel Only button 

--OR-- 

If you want to save the new static route (to make it available after reboots) 
and add it to the Kernel Routing Table, click on the Both Tables button. 

Step 12 When the frame refreshes, check the appropriate table(s) to verify that your 
new static route was added. 

Step 13 When you are finished viewing/editing the Kernel Routing Table, click on 
Return. 



3-10 



PDS Pilot v2.7 User Guide 



March 2003 



Configuring Host/IP 
Mapping 



To configure the Host/IP mapping for the appliance, perform the following steps: 

Step 1 If necessary, click on the Network Configuration link on the Navigation 
Bar and then click on the Host/IP Configuration tab. 

The Host/IP Configuration page displays. See Figure 3-7 . 



Host/IP Configuration 








Network Interfaces 


Routing 
* 


HostflP Configuration 1 


ViewjEdit ARP Cache 



Current Hostname: | AnybancBoston 
Edit/View Functions 

• View/Edit Hosts File 



Change Reset 



View/Edit DNS Setup 



Home 



View or Edit Hosts File 



Figure 3-7 Host/IP Configuration Page 

This page lets you change the hostname for your appliance, edit the hosts 
file, and edit DNS information. 

Step 1 If necessary, click on the Network Configuration link on the Navigation 
Bar and then click on the Host/IP Configuration tab. 

The Host/IP Configuration page displays. See Figure 3-7 . 

Step 2 To change your appliance's hostname, edit the Current Hostname field, 
and then click on Change. 

Step 3 To view or edit the existing Hosts information, click on the 

View/Edit Hosts File button on the Host/IP Configuration page. 
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The View/Edit Hosts File page displays. See Figure 3-8 . 



View/Edit Hosts File 



ork Intel 



Add a Host Entry 



HostIP Configuration 



IP Address 


Host Name 


Alias (es) 






1 



Add Host 



Reset 



Host File Entries: 



IP Address 


Host Name 


Alias (es) 


1 

Delete? 


127.0.0.1 


localhost 






10.1.2.2 


localhost 




r 



Delete Host(s) 



Reset 



Return 



Home 



Figure 3-8 View/Edit Hosts File Page 

This page contains two panes. The upper pane (Add a Host Entry) lets you 
add a host. The lower pane (Host File Entries) displays the file entries for 
the currently configured hosts. The first entry in the list that can be deleted 
is the default host; additional hosts in the list were added during 
configuration. This pane also lets you delete added hosts. 

Step 4 To add a host entry, type the IP Address, Host Name, and Alias of the host 
to be added and then click on the Add Host button. 

In the Alias(es) field, you can make multiple alias entries by separating 
them with a space. 

Step 5 To delete an added host, click on the Delete checkbox to the right of the 
host and then click on the Delete Host(s) button. 

Step 6 When you are finished viewing/editing the Hosts File Entries, click on the 
Return link to go back to the Host/IP Configuration page. 
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View/Edit DNS Setup Step 1 If necessary, click on the Network Configuration link on the Navigation 

Bar and then click on the Host/IP Configuration tab. 

The Host/IP Configuration page displays. See Figure 3-7 . 

Step 2 To view or edit Domain Name Service (DNS) information, click on 

the View/Edit DNS Setup link on the Host/IP Configuration page. See 
Figure 3-7 . 

The View/Edit DNS Setup page displays. See Figure 3-9 . 



View/Edit DNS Setup 


Network Interfaces 


Routing 


Host/IP Configuration 


VieuwEdit AF 




Figure 3-9 View/Edit DNS Setup Page 

Step 3 To identify a specific DNS server, type its IP address in a Domain Name 
Servers field and then click on the Submit button. The DNS servers 
specified in the numbered fields will be accessed in the order of the fields. 

Step 4 To specify that PDS Pilot search one or more domains for Domain Name 
Servers, type the domain names that you want to be searched (one domain 
name per line) in the Search Domains fields. The search domains specified 
in the numbered fields will be accessed in the order of the fields. 

Step 5 When you are finished entering domains to be searched, click on the 
Submit button. 

Step 6 When you are finished viewing/editing the DNS Setup information, click 
on the Return button. 
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Editing the ARP Cache To edit the ARP cache, perform the following steps: 

Step 1 If necessary, click on the Network Configuration link on the Navigation 
Bar and then click on the View/Edit ARP Cache tab. 

The View/Edit ARP Cache page displays. See Figure 3-10 . 



Edit View ARP Cache 
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View Edit ARP Cache 
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Delete? 


Save? 
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Submit 



Refresh 
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Flags: C= Complete 
M= Permanent 
P = Published 



The hardware addresses for your PDS are: 

ethl: 00:00:52:55:56:4F 
eth2: 00:00:52:55:56:4E 
eth3: 00:00:52:55:56:4D 

Add an ARP Entry: 



TP Address 


HW Address 


Publish? 


i : 






Both Tables 


Save Only 


Kernel Only 



Reset 



No ARP Entries are saved 

Figure 3-10 View/Edit ARP Cache Page 



This page contains four panes. The upper pane displays the current ARP 
configuration. It also lets you delete entries that you no longer need and 
specify whether an entry is to be saved so that it remains available to the 
system after reboots of the appliance. 

The second pane displays the hardware addresses for your appliance. The 
third pane lets you add a permanent ARP entry (associated IP addresses to 
hardware addresses) to the cache and specify whether the entry is to be 
published. 

The lower pane displays the currently configured ARP associations that 
will be saved across reboots. 
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Step 2 To delete a permanent ARP association, click on the Delete checkbox in 
the upper pane next to the association that you want to delete and then click 
on the Submit button for that pane. 

Step 3 To specify that an existing permanent ARP association is to be saved across 
reboots of the appliance, click on the Save checkbox in the upper pane next 
to the association that you want to have saved and then click on the Submit 
button for that pane. 

Step 4 To add a permanent ARP association, go to the third pane and type the ARP 
association's IP address in the IP Address field (using dotted quad 
format), and then type its hardware address in the HW Address field 
(using the format XX:XX:XX:XX:XX:XX where each X is a hexadecimal 
character 0-9, A-F). 

Step 5 Specify whether you want the new ARP association to be published by 
selecting the Publish checkbox. 

Step 6 If you only want to save the new ARP association, click on the Save Only 
button 

--OR-- 

If you only want to add the new ARP association to the Current ARP Table, 
click on the Kernel Only button 

-OR-- 

If you want to save the new ARP association and add it to the ARP Table, 
click on the Both Tables button. 

If you save the ARP association so that it remains after appliance reboots, 
the lower pane will display a table of the saved associations instead of the 
message No ARP entries are saved. 

Step 7 When the frame refreshes, check the appropriate table(s) to verify that your 
new ARP association was added. 

Step 8 When you are finished with the View/Edit ARP Cache page, click on the 
Return link. 
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Logging PDS Pilot 2.7 allows for extensive logging of system activity. Support is included for 

Configuration l° ca l l°ggi n g> logging to a remote syslog server, or to a specific file or network port. 

These pages let you manage the logging of appliance information by specifying what 

to log and where the information is sent. 



Viewing the Logging 
Configuration 



To view the logging configuration, perform the following steps: 

Step 1 If necessary, click on the Logging Configuration link on the Navigation 
Bar. 

The Logging Configuration page displays. See Figure 3-11 . 
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Status: Running Stop 

Syslog-NG Boot Status 

Status: Enabled Disable 

Logs: Click a log name to edit 
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spooler 
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Figure 3-11 Logging Configuration Page 

The Logging Configuration page displays the current Syslog-NG 
configuration in four panes. The upper pane displays the current Syslog- 
NG status and it lets you start, stop, or restart the Syslog-NG. The second 
pane displays the current boot status and it lets you enable or disable the 
initiation of logging on reboot. The third pane displays the logs that are 
currently defined and it lets you view each log and delete a log that is no 
longer needed. The lower pane lets you add a log to the Syslog-NG 
configuration. 
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Step 2 To change the status of appliance logging, click on the appropriate button 
(Start, Stop, Restart) in the upper pane. The Current Syslog-NG Status 

changes to reflect your selection. 

Step 3 To change the boot status of appliance logging, click on the appropriate 
button (Enable, Disable) in the second pane (the name of the button 
changes with the status). The Syslog-NG Boot Status changes to reflect 
your selection. 



Editing an Existing Log 
File Configuration 



To edit an existing log file configuration, perform the following steps: 

Step 1 If necessary, click on the Logging Configuration link on the Navigation 
Bar. The Logging Configuration page displays. 

Step 2 On the Logs pane of the Logging Configuration page, click on the link for 
the Log that you want to edit. 

The Edit Log Entry page displays. See Figure 3-12 . 
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Figure 3-12 Edit Log Entry Page 
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This page has three panes that show the current configuration of the log 
you selected and lets you make configuration changes. The upper pane 
displays the source of the log and lets you change the source. The middle 
pane lets you specify what is to be logged. The lower pane lets you specify 
where the log is to be sent. 

Step 3 To change the source for the log, click on appropriate checkbox (devlog, 
internal, kernel) in the Source pane. 

Step 4 In the second pane, select what you want to log by clicking on a radio 
button on the left, and then specifying the criteria or item to log. For 
example, to log a facility, click on the facility radio button and then select 
a facility from the drop-down list. To log a host, click on the host radio 
button and then type the host name in the text field. 




Reminder If you have configured remote logging, you must configure the remote 
logging server to accept the logging information that the appliance sends to it. 



Step 5 In the lower pane, select where you want the log to be sent. If you want the 
log to be stored in a file on the appliance, click on the file radio button and 
then type the complete path and filename. 

If you want the log to be sent via TCP to an IP address, click on the tcp 
radio button and then type the destination IP address (in dotted quad 
format) in the ip: text field. Type the port into the port: text field. 

If you want the log to be sent via UDP to an IP address, click on the udp 
radio button and then type the destination IP address (in dotted quad 
format) in the ip: text field. Type the port into the port: text field. 

Step 6 When you have finished specifying the new logging configuration, click on 
the Submit Changes button, and then click on the Return link. 

The Logging Configuration page displays. See Figure 3-11 . 

Step 7 When you are finished making changes to the logging configuration, click 
on the Activate Changes link. 



Deleting a Log File To delete a log file configuration, perform the following steps: 

Configuration 

Step 1 If necessary, click on the Logging Configuration link on the Navigation 
Bar. The Logging Configuration page displays. 

Step 2 From the Logging Configuration page, click on the del link on the row for 
the Log that you want to delete. 

Step 3 When you are finished making changes to the logging configuration, click 
on the Activate Changes link. 
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Adding a Log File 
Configuration 



To add a log file configuration to the logging configuration, perform the following 
steps: 



Step 1 If necessary, click on the Logging Configuration link on the Navigation 
Bar. The Logging Configuration page displays. 

Step 2 On the Logging Configuration page, click on the Add link in the lower 
pane. 

The Edit Log Entry page displays. See Figure 3-12 . 

This page is identical to the page used to edit a log file configuration. The 
upper pane lets you enter the source. The middle pane lets you specify what 
is to be logged. The lower pane lets you specify where the log is to be sent. 

Step 3 To specify the source for the log, click on appropriate checkbox(es) 
(devlog, internal, kernel) in the Source pane. 

Step 4 In the second pane, select what you want to log by clicking on a radio 

button on the left and then specify the criteria or item to log. For example, 
to log a facility, click on the facility radio button and then select a facility 
from the drop-down list. To log a host, click on the host radio button and 
then enter the host name in the text field. 




Reminder If you have configured for remote logging, you must configure the remote 
logging server to accept the logging information that the appliance sends to it. 



Step 5 In the lower pane, select where you want the log to be sent. If you want the 
log to be stored in a file on the appliance, click on the file radio button and 
then type the complete path and filename. 

If you want the log to be sent via TCP to an IP address, click on the tcp 
radio button and then type the destination IP address (in dotted quad 
format) in the ip text field. Type the port into the port text field. 

If you want the log to be sent via UDP to an IP address, click on the udp 
radio button and then type the destination IP address (in dotted quad 
format) in the ip text field. Type the port into the port text field. 

Step 6 When you have finished specifying the new logging configuration, click on 
the Submit Changes button. The Logging Configuration page displays. 
See Figure 3-11 . 

Step 7 When you are finished making changes to the logging configuration, click 
on the Activate Changes link. 
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SyStGITl Status/ This area allows you to monitor the system, check network connectivity, and set 

Control information specific to the operation of the PDS Pilot. 



Viewing/Updating 
System Identification 
Information 



To view or update the system identification information, perform the following steps: 
Step 1 Click on the System Status/Control link on the Navigation Bar. 
The System Identification page displays. See Figure 3-13 . 
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Figure 3-13 System Identification Page 

This page has two panes. The upper pane displays the current SNMPD 
(Simple Network Management Protocol Daemon) status and lets you 
change the status. The upper pane also displays the SNMPD boot status and 
lets you change the status. If the snmpd is not installed, it displays snmpd 
is not installed and an Install SNMPD link that lets you install the 
SNMP daemon. 

The lower pane displays basic system information and lets you enter or edit 
the information. 

To change the current SNMPD status, click on the Start/Stop link (the 
name of the link changes with the status). 

To change the SNMPD boot status, click on the Enable/Disable link (the 
name of the link changes with the status). 
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Step 4 To specify a system name, type the name into the System Name field under 
System Information. 

Step 5 To specify a location, type the location name into the Location field under 
System Information. 

Step 6 To specify a description of the system, type the name into the System 
Description field under System Information. 

Step 7 To specify a contact name for the system, type the name of the contact into 
the Contact Name field under System Information. 

Step 8 When you are finished making changes to the system information, click on 
the Update button. 



Setting the System Time The system time is maintained in the hardware in Universal Time Coordinated (UTC) 
Manually form. All system logging is recorded using UTC. For user convenience, the PDS 

Pilot lets you set the local time, indicating your time zone, and the current time and 
date.The system then resets the hardware time to the corresponding time/date in UTC. 

To set the system time manually, perform the following steps: 

Step 1 If necessary, click on System Status/Control link on the Navigation Bar. 

Step 2 Click on the Set Sys Time tab. 

The Set Time Manually page displays. See Figure 3-14 . 
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Figure 3-14 Set Time Manually Page 
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This page displays the current time in Universal Time Coordinated (UTC) 
format. Generally, you will need to change only the Local Timezone to 
synchronize your local time to UTC time. However, if you want to reset the 
time/date, you can do so using this page. 

Step 3 To set your local timezone, click in the Timezone field, and select your 
timezone from the drop-down list. 

Step 4 To change the system time/date manually, change the Hour, Minutes, Day 
of Month, Month, or Year fields by clicking in the field and selecting a 
value from the drop-down list. 

Step 5 When you have changed all the fields necessary to set the time, click on the 
Set Time button. 

If you set the time backward any amount of time, or forward less than your 
user timeout value, the page refreshes with the new time setting. If you set 
the time forward more than your user timeout value, you will be forced to 
log in again. 



Halting/Rebooting the The Halt/Reboot tab of System Status/Control lets you halt or reboot the appliance. 

System Halting stops all processing; rebooting cold-starts the system. 



Note When you halt the system on some appliances, you may need to cycle power to 
the unit to bring the system up again. On hardware that has a Power switch, you'll need 
to set the Power switch to OFF (0) and then set it back to ON (1). On hardware without 
a Power switch, you'll need to unplug the power cord from the power outlet and then 
plug it back in. 
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Halting the System 



To halt the system, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. 

The System Identification page displays ( Figure 3-13) . 
Step 2 Click on the Halt/Reboot tab. 

The Halt/Reboot page displays. See Figure 3-15 . 



Halt Reboot 
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Figure 3-15 Halt/Reboot Page 



Step 3 Click on the Halt link. 

The Halt Warning Dialog displays. See Figure 3-16 . 



Microsoft Internet Explorer 



<3> 



WARNING: You are about to halt your system. 
Do you wish to continue? 



OK 



Cancel 



Figure 3-16 Halt Warning Dialog 

Step 4 Click on the OK button. 

The following message displays. See Figure 3-17 . 

System will halt in approximately 10 seconds. 



Figure 3-17 Halt Message 
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The system is halted. The PDS Pilot has no further effect until the system 
is restarted. 

Rebooting the System To reboot the system, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. 

The System Identification page displays ( Figure 3-13) . 
Step 2 Click on the Halt/Reboot tab. 

The Halt/Reboot page displays. See Figure 3-15 . 
Step 3 Click on the Reboot link. 

The Reboot Warning Dialog displays. See Figure 3-18 . 



El 



Microsoft Internet Explorer 



) WARNING: You are about to reboot your system. 
'Vj' Do you wish to continue? 



OK 



Cancel 



Figure 3-18 Reboot Warning Dialog 

Step 4 Click on the OK button. 

The system reboots and the following message displays. See Figure 3-19 . 

System will now reboot. This may take several minutes. 

Wait for system to finish rebooting before logging back in. 
Return to login screen 



Figure 3-19 Reboot Message Page 

Step 5 Wait for the system to reboot (it may actually take several minutes) and 
then click on the Return to login screen link. 

If the system has finished rebooting, the Login page displays. If it has not 
finished rebooting, you will get an HTTP 500 Cannot find server 
message indicating that the PDS Pilot is not responding because the system 
has not finished rebooting. 

Step 6 If you got the HTTP 500 message, wait for a few seconds and then click on 
the Reload or Refresh button on your browser. 

Step 7 When the Login page displays, log in to the system again. 
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Diagnostic Tools 



The diagnostic tools let you test connectivity and general system status. To use the 
system's diagnostic tools, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays ( Figure 3-13) . 

Step 2 Click on the Diag Tools tab. 

The Diagnostic Commands page displays. See Figure 3-20 . 
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Figure 3-20 Diagnostic Commands Page 

This page displays a Diagnostic Commands table that contains row of tools that let you 
obtain various information that may be helpful in troubleshooting problems with the 
system. 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays ( Figure 3-13) . 

Step 2 Click on the Diag Tools tab. 

Step 3 In the text field on the Ping a Remote Host row of the Diagnostic 

Commands table, type the hostname or the IP address of the host to be 
pinged in dotted quad format and then click on the Go button. 



Step 4 



The requested information displays. 

Click on the Return button to go back to the Diagnostic Commands page. 
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Trace the Route to a 
Remote Host 



Show Disk Utilization 



Display a Single List of 
Processes 



Display an Updating List of 
Processes 



Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 To trace the route to a remote host, in the text field on the Trace the Route 
to a Remote Host row of the Diagnostic Commands table, type the 
hostname or the IP address of the host to be traced in dotted quad format 
and then click on the Go button. 

The requested information displays. 

Step 4 Click on Return to go back to the Diagnostic Commands page. 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 To view the appliance disk utilization, click on Once in the Show disk 
utilization information row of the Diagnostic Commands table. 

The requested information displays. 

Step 4 Click on the Return button to go back to the Diagnostic Commands page. 

To display a single list of processes running on the appliance, perform the following 
steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Once link in the List processes running on this machine row 

of the Diagnostic Commands table. 

The requested information displays. 
Step 4 Click on the Return button to go back to the Diagnostic Commands page. 

To display a continuously updating list of processes running on the appliance, 
perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Repeatedly link in the List processes running on this 

machine row of the Diagnostic Commands table. 

The requested information displays in a new browser window. The window 
has Stop Monitor, Pause, and Resume buttons that let you control the 
display of information. 

Step 4 Click on the Return button to go back to the Diagnostic Commands page. 
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Display Network Status on 
a Single List 



Display Network Status on 
an Updating List 



Show Kernel IP Routing 
Table in a Single List 



Show Kernel IP Routing 
Table in an Updating List 



To display a single list showing the network status, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Once link in the Display network status information row of 

the Diagnostic Commands table. 

The requested information displays. 
Step 4 Click on the Return button to go back to the Diagnostic Commands page. 

To display a continuously updating list showing the network status, perform the 
following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Repeatedly link in the Display network status information 

row of the Diagnostic Commands table. 

The requested information displays in a new browser window. The window 
has Stop Monitor, Pause, and Resume buttons that let you control the 
display of information. 

To display a single list showing the kernel IP routing table for the appliance, perform 
the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Once link in the Show the kernel IP routing table row of the 

Diagnostic Commands table. 

The requested information displays. 
Step 4 Click on the Return button to go back to the Diagnostic Commands page. 

To display a continuously updating list showing the kernel IP routing table for the 
appliance, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Repeatedly link in the Show the kernel IP routing table row 

of the Diagnostic Commands table. 

The requested information displays in a new browser window. The window 
has Stop Monitor, Pause and Resume buttons that let you control the 
display of information. 
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Show Network Interface 
Configuration in a Single 
List 



Show Network Interface 
Configuration in an 
Updating List 



To display a single list showing the current network interface configurations, perform 
the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Once link in the Show network interface configuration row 

of the Diagnostic Commands table. 

The requested information displays. 
Step 4 Click on the Return button to go back to the Diagnostic Commands page. 

To display a continuously updating list showing the current network interface 
configurations, perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Diag Tools tab. 

Step 3 Click on the Repeatedly link in the Show network interface 

configuration row of the Diagnostic Commands table. 

The requested information displays in a new browser window. The window 
has Stop Monitor, Pause, and Resume buttons that let you control the 
display of information. 



Backup/Restore This page lets you back up your appliance information to an ftp server and to restore 

them back to the appliance from that server. Perform the following steps: 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Backup/Restore tab. 

The Backup/Restore System page displays. See Figure 3-21 . 
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The link at the bottom of the page will read Backup/Restore SecureNet 
Sensor Configuration or Backup/Restore Check Point VPN-1/ 
FireWall-1 (NG) Configuration, depending on the application installed. 



Backup/Restore System 
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Backup/Restore Check Point VPN-1 /Tire Wall- 1 (NG') Configuration 



Figure 3-21 Backup/Restore System Page 

Step 3 In the Server field, type the IP address for the ftp server. 

Step 4 In the Path field, type the path to the directory on the ftp server. 

Step 5 In the Filename field, type the name of the backup file. 

Step 6 In the Username field, type the username to be used to log into the ftp 
server. If the server allows anonymous logins, you can leave the default 
username anonymous. 

Step 7 In the Password field, type the password to be used to log into the ftp 
server. If the server allows anonymous logins, you can leave this field 
blank. 

Step 8 Select the operation to perform by selecting the appropriate radio button 
(Backup or Restore). All %config files that are part of an RPM package 
on the appliance will be backed up. 

Step 9 If SecureNet Sensor (formerly SecureNet Pro) is installed, click on the 
Backup/Restore SecureNet Sensor link at the bottom of the Backup/ 
Restore System page ( Figure 3-21) . 
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All files in the directory /usr/local/etc/SNP are backed up. The Backup/ 
Restore page redisplays as shown in Figure 3-22 . 
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Figure 3-22 Backup/Restore SecureNet Sensor Page 
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Step 10 If Check Point VPN- 1 /Fire Wall- 1 NG is installed, click on the Backup/ 
Restore Check Point VPN-l/FireWall-1 Configuration link at the 
bottom of the Backup/Restore System Configuration page ( Figure 3-23) . 
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Backup/Restore Check Point VPN- 1/Fii e Wall- 1 Configuration 
Figure 3-23 Backup/Restore Check Point VPN-1/FireWall-1 Page 
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All files in the /etc/fwconf directory are backed up. The Backup/Restore 
page redisplays as shown in Figure 3-24 . 
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Figure 3-24 Backup/Restore Application Page 

Step 11 After you have made all needed changes for the page, click on the Submit 
button to complete the backup or restoration. 

Note During a Restore operation, the PDS appliance will automatically reboot. 
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Security 



This page lets you start and stop the secure shell (SSH) on boot and it lets you generate 
a new Secure Socket Layer (SSL) certificate. 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Security tab. 

The Security page displays. See Figure 3-25 . 
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Figure 3-25 Security Settings Page 



The upper pane of this page lets you specify whether SSH will start on 
boot. The lower pane of the Administration page lets you generate a new 
SSL certificate. 

Step 3 To change the SSH boot status, click on Start SSH on Boot/Disable SSH 

on Boot (the name of the button changes with the status). 

The SSH Boot Status changes to reflect your selection. 



700-0599-101 Rev. I 



3-33 




Step 4 To enable or disable the Remote Management Port, click on the Enable/ 
Disable Remote Management Port link. The Remote Management Port 
status will change accordingly. 

Note The Remote Management port is reserved for future use. 

Step 5 To generate a new certificate, fill in the form in the lower pane with your 
specific information. Note that all fields are required. 

Step 6 When you are finished entering the information in the form, click on the 
Generate button to generate the new certificate. 



Access Control 



Access control lets you add and remove user accounts, to change the root password, 
and to edit modem user information. 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 
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Access Control Functions 

• View/Edit Management Tool Users 

• View/Edit Modern User Data 

• Change Password for Linux Root Account 

• Show Current Login Information 



Figure 3-26 Access Control Page 




Note If your appliance includes a modem, but the callback icom service is not 
installed, a page displays to allow you to install the service. 
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View/Edit Management Tool 
Users 



Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

Step 3 On the Access Control page, click on View/Edit Management Tool Users. 

Step 4 The Maintain Management Tool Users page displays. See Figure 3-27 . 
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Figure 3-27 Maintain Management Tool Users Page 



This page has three panes. The upper pane lets you add or delete 
management tool users. The middle pane lets you set the default 
management session timeout for new users, that is, the number of minutes 
that the new user can leave the PDS Pilot idle without having to log in 
again. The lower pane lets you change your PDS Pilot password. 
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Add a New Management Tool User 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Step 3 Click on Add a New Management Tool User. 

The Add User page displays. See Figure 3-28 . 




Restore 



Usemame: 




New Password: 




Verify Password: 




Timeout Value (in minutes): 


10 


Auth Level: 


Read-Only^_ 


Add User Reset 



Return 



Home 



T Access I 
Control | 




Figure 3-28 Add User Page 
Step 4 In the Username field, type the username of the new user. 

Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display all characters as asterisks to prevent 
inadvertent disclosure. 




Step 5 In the New Password field, use the guidelines noted above and type a 
unique password for the new user account. 

Step 6 In the Verify Password field, type the password again exactly as you typed 
it in the New Password field. 

Step 7 In the Timeout Value field, type the amount of time (in minutes) that the 
new user can leave the PDS Pilot idle before having to log in again. 

Note This timeout value relates to timing out of the PDS Pilot GUI and is not the same 
as the autologout timeout value that is in effect when at a command line. For more 
information about command line autologout, refer to "autologout" and "TMOUT" in 
Appendix G Glossary of Terms and Abbreviations. 



Step 8 Click on the Auth Level field and then select the authorization level of the 
new user (Admin or Read-Only). 
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Step 9 When you are finished entering the required information, click on the Add 
User button. 

The Access Control page displays with the new user listed. See 
Figure 3-26 . 

Edit a Management Tool User 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays ( Figure 3-26) . 

Click on the View/Edit Modem User Data link. The Maintain 
Management Tool Users page displays ( Figure 3-27) . 



Step 3 
Step 4 



To edit an existing management tool user, click on the link for the username 
in the Username column at the top of the page. 

The Edit Management Tool User page shown in Figure 3-29 displays. 



Edit Management Tool User: intrusion 



V i r 



Note: Changes will take effect on next login 



Tljg T T Access | 

| | Control | 



Username: intrusion 




Timeout Value (in minutes): 


10 


Auth Level: 


Admin T 


Update User Reset 





Return 



Home 



Figure 3-29 Edit Management Tool User Page 

Step 5 To change the timeout value, change the number in the Timeout Value text 
field. The number indicates the minutes before timeout for this user. 

Step 6 To change the authorization level, click on the pulldown for the Auth 
Level field and click on the appropriate authorization level. The Admin 
level provides the most user privileges and the Read Only level allows for 
read-only access. 
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Delete a Management Tool User 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Note If there is only one management tool user, no del link displays on the page, so 
deletion is not possible. 



Step 3 To delete an existing management tool user, click on the del link to the 
right of the username. 

The Maintain Management Tool Users page refreshes and the selected user 
is deleted. 

Set Default Timeout for New Users 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

Step 3 Edit the Default Timeout for New Users field (number of whole minutes) 
and then click on Update Timeout. 

Change your Administrator's Password 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display all characters as asterisks to prevent 
inadvertent disclosure. 



In the Current Password field in the lower pane, type your current 
password. 

Step 3 In the New Password field, use the guidelines noted above to type a unique 
password for the administrator account. 

Step 4 In the Confirm New Password field, type the password again exactly as 
you typed it in the New Password field. 

Step 5 Click on the Change Password button. 
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View/Edit Modem User Data 



Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Step 3 If your appliance includes a modem, click on the View/Edit Modem User 
Data link. 

If the callback icom service is installed, the Modem User Data page 
displays. See Figure 3-30 . 



I 



Change Password for 'modemuser' account: 



Current 
Password: 

New 

Password: 

Confirm 

New Password: 



Call-back Number: 





Add Number 



Valid Call-back Numbers: 



Phone Number 


Delete? 


8775551212 


r 



Delete Number(s) 



Reset 



Figure 3-30 Modem User Data Page 

The Modem User Data page lets you change the current password for the 
modemuser account and it lets you specify a call-back number for the 
modem. If the callback icom service has not been installed, the upper area 
of this window lets you install the service. 

Change Modem Account Password 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Click on the Access Control tab. 



Step 2 

Step 3 
Step 4 



The Access Control page displays. See Figure 3-26 . 

Click on the View/Edit Modem User Data link. 

If you have not installed the callback icom service, click on the link to 
install it. 
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The service installs and a dialog displays indicating successful installation. 




Note The password must have eight or more alphanumeric characters. To enhance the 
security of the password, you can mix uppercase and lowercase characters. Password 
fields display all characters as asterisks to prevent inadvertent disclosure. 



Step 5 In the Current Password field in the upper pane, use the guidelines noted 
above to type the current modem call-back password. 

Step 6 In the New Password field, type a unique password for the modemuser 
account. 

Step 7 In the Confirm New Password field, type the password again exactly as 
you typed it in the New Password field. 

Step 8 Click on the Change button. 
Add a New Modem Call-back Number 

A modem callback is a call made by a modem in response to an incoming call. When 
the caller enters the username "modemuser" along with the correct password, the 
modem prompts for a call-back number and, if the number entered matches an 
existing number in the list of call-back numbers, the modem hangs up and dials the 
authorized number. 

Step 1 If necessary, click on the System Status/Control link on the Navigation 
Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Step 3 Click on the View/Edit Modem User Data link. 

Step 4 If you have not installed the callback icom service, click on the link to 
install it. 

The service installs and a dialog displays indicating successful installation. 

Step 5 In the lower pane of the Modem User Data page (see Figure 3-30) , type a 
telephone number complete with any required country codes and area codes, 
and then click on the Add Number button. 

The new number displays in the call-back numbers area at the bottom of 
the page. 




Note Call-back numbers cannot be edited. To change a call-back number, delete the 
current number by clicking on the del checkbox next to the number in the list and 
then add the corrected number as a new call-back number. 
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Change Password for Step 1 If necessary, click on the System Status/Control link on the Navigation 

Linux Root Account Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Step 3 Click on Change Password for Linux Root Account. 

The Change Linux Password page displays. See Figure 3-31 . 



Change Password for Linux root account 



f| X T T T [ Access | 

I I I I I I Control | 




Figure 3-31 Change Linux Password Page 




Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display all characters as asterisks to prevent 
inadvertent disclosure. 



Step 4 In the Current Password field, type the current Linux root password. 

Step 5 In the New Password field, use the guidelines noted above and type a 
unique password for the Linux root account. 

Step 6 In the Verify Password field, type the password again exactly as you typed 
it in the New Password field. 

Step 7 Click on the Change button. 
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Show Current Log Step 1 If necessary, click on the System Status/Control link on the Navigation 

Information Bar. The System Identification page displays. 

Step 2 Click on the Access Control tab. 

The Access Control page displays. See Figure 3-26 . 

Step 3 Click on the Show Current Login Information link. The Current Login 
Username and Privilege Level page displays ( Figure 3-32) . 




The username and privilege level for the user currently logged in displays 
(for example, username: misuser and privilege: admin). 
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Application Control 




This area provides control over installed applications and services on the appliance, 
including SecureNet Sensor, Check Point VPN-l/FireWall-1, DHCP Server, and any 
other processes running on the system. 

Note The Application Setup page of the PDS Pilot varies according to the 
application(s) installed on the appliance. 



Application Setup for Before you start any Check Point application, you must set it up for use by accessing 

Check Point Software the command line to run cpconfig, the Check Point configuration software. 



Note Refer to the Check Point documentation for more information about using 
cpconfig. Use the serial port, SSH, or a modem to access the command line. 



The first time cpconfig is run, the system must be rebooted. Following the reboot, an 
InitialPolicy that prevents remote access is installed. To enable remote HTTPS or SSH 
access, you may need to uninstall the InitialPolicy using the command 
fw unloadlocal. 



To set up the Check Point FireWall-1 application, perform the following steps: 
Step 1 Click on the Application Control link on the Navigation Bar. 
The Application Setup page displays. See Figure 3-33 . 



Application Setup 






Application T | 1 
Setup | | | 





Note: You must configure Check Point VPN- 1 /Fire Wall- 1 NGvia cpconfig 
prior to starting Check Point VPN- 1/ Fire Wall- 1 NG 

Current Check Point Fire Wall- 1 Status 

Status: Stopped Start 




Home 

Figure 3-33 Application Setup (Check Point) Page 

This page displays the current Fire Wall- 1 operating status and it lets you 
start or stop the application. This page also displays the current 
Fire Wall- 1 boot status and lets you enable or disable the initiation of 
Fire Wall- 1 on reboot. 
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Step 2 To change the status of Check Point FireWall-1, click on the link to the 
right of the Status field in the Current Check Point FireWall-1 Status 
pane. The Start/Stop link changes based on the current selection. 

The Status field of the upper pane changes to reflect your selection. 



Application Setup for 
SecureNet Sensor 




Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Pro Configuration page displays. See Figure 3-34 . 

Note The SecureNet Sensor application was previously called SecureNet Pro and the 
prior name may appear on screen in some versions. The information displayed on the 
SecureNet Pro Configuration page depends on the applications and services you have 
installed. In the example in Figure 3-34 , the SecureNet Linux Console and Sensor 
(Engine) are installed. 



SecureNet Pro Engine Version: 4.2-723 Signatures Version: 1.8-732 
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Figure 3-34 SecureNet Pro Configuration Page 

In this example, the SecureNet Pro Configuration page has five panes. 

The upper pane (Versions) displays the SecureNet Sensor versions for the 
currently installed components. Content changes with upgrades. 
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The second pane (Administrative Consoles) displays the currently defined 
SecureNet Pro administrative consoles (if any) and lets you add, modify, 
or delete a console. 

The third pane (Background Daemon) displays the current SecureNet Pro 
operating status and it lets you start or stop the application. The third pane 
also displays the current SecureNet Pro boot status and it lets you enable 
or disable the initiation of SecureNet Pro on reboot. 

The fourth pane (License Key) displays the status of the SecureNet Pro 
license key installation and, if the license key is not installed, it lets you 
install the key. 

The fifth pane (Provider Manager) lets you add and configure a SecureNet 
Provider Manager for use with SecureNet Sensor. 

The sixth pane (Current Xdm Boot Status) lets you specify whether X- 
Windows or the command prompt should display when the appliance 
boots. 

Add a New Console Step 1 If necessary, click on the Application Control link on the Main Page 

Navigation Bar. The Application Setup page displays. 

Step 2 On the Application Setup page, click on the SecureNet Pro 

Configuration link. The SecureNet Pro Configuration page displays. 

Step 3 On the SecureNet Pro Configuration page, click on the Add a new 

Console link on the second pane. 
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The Create Admin Console page displays. See Figure 3-35 . 



SecureNet Pro - Admin Console 



f Application T | T T j 




Figure 3-35 Create Admin Console Page 

Step 4 In the Name field, type a unique name for the new console. 

Step 5 In the IP Address field, type the address of the new console in dotted quad 
format. 




Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display characters as asterisks to prevent 
inadvertent disclosure. 



Step 6 In the Password field, use the guidelines noted above and type a unique 
password for the console. 

Step 7 In the Confirm Password field, type the password again exactly as you 
typed it in the Password field. 




Note The encryption type for the SecureNet Linux Console must match the 
encryption type specified for the SecureNet Sensor(s) with which it will be 
communicating. 
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Step 8 To change the encryption type that the console will use, click on the 

Encryption Type field and then select an encryption type from the drop- 
down list (EXPORT, 3DES, BLOWFISH, DES). 

Step 9 In the Timeout field, enter the number of seconds that the console is 
allowed to be idle before it is automatically logged out. 

Step 10 Click on the Create button. 

The SecureNet Sensor Configuration page displays and shows the new 
console added to the list in the second pane. See Figure 3-34 . 



Modify an Existing 
SecureNet Linux Console 



Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on Modify in the list 
in the second pane next to the console that you want to modify. 

The Modify Admin Console page displays. See Figure 3-36 . 



SecureNet Pro - Admin Console 
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Figure 3-36 Modify Admin Console Page 

This page is identical to the Create Admin Console page except that it is 
populated with the parameters of the console. This page lets you edit those 
parameters. All the following steps are optional, except that if you do 
change anything, you must click on Modify button to activate the changes. 

Step 3 In the Name field, type a new unique name for the console. 
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Step 4 In the IP Address field, type the new address of the Console in dotted quad 
format. 




Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display all characters as asterisks to prevent 
inadvertent disclosure. 



Step 5 In the Password field, use the guidelines noted above and type a new 
password for the console. 

Step 6 In the Confirm Password field, type the new password again exactly as 
you typed it in the Password field. 




Note The encryption type for the SecureNet Linux Console must match the 
encryption type specified for the SecureNet Sensor(s) with which it will be 
communicating. 



Step 7 To change the encryption type that the console will use, click on the 

Encryption Type field and then select a new encryption type from the 
drop-down list (EXPORT, 3DES, BLOWFISH, DES). 

Step 8 In the Timeout field, edit the number of seconds that the console is allowed 
to be idle before it is automatically logged out. 

Step 9 Click on the Modify button. 

The SecureNet Sensor Configuration page displays and shows the 
selected console with new parameters. See Figure 3-34 . 

Delete an Existing To delete an existing SecureNet Linux Console, perform the following steps: 

SecureNet Linux Console 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on Delete for the 

console that you want to delete. 

The SecureNet Sensor Configuration page refreshes and shows the 
selected console deleted from the list in the second pane. See Figure 3-34 . 

Start/Stop SecureNet To start or stop SecureNet Sensor, perform the following steps: 

Sensor 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 To change the status, click on the Start SecureNet Sensor/Stop SecureNet 
Sensor link in the middle pane. 

The status changes to reflect your selection. 
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Toggle SecureNet Sensor 
Boot Status 



Install License Key 



The SecureNet Sensor Boot Status (will start on boot or will not start on boot) 

displays in the middle pane. To toggle (switch the status to its opposite) the current 
SecureNet Sensor Boot Status, perform the following steps: 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

The SecureNet Sensor Configuration page displays. 
Step 2 To change the SecureNet Sensor Boot Status, click on Toggle Boot Status. 

The SecureNet Sensor Boot Status changes to reflect your selection. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

The SecureNet Sensor Configuration page displays. 
Step 2 Click on the Install license key link on the lower pane. 

The License Key Update page displays. See Figure 3-37 . 



SecureNet Pro - License Key 




Return 



Home 



Figure 3-37 License Key Update Page 

Step 3 In the text window, type the SecureNet Sensor license key exactly as 
provided to you by the Intrusion License Administrator. 

Step 4 Click on the Update button. 

The SecureNet Sensor Configuration page displays and shows the 
License Key as "found." 

The SecureNet Sensor Configuration page will include the link Display 
license key when you next view the page. You can use that link to view and 
edit the license key when updates are needed. 
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Configure SecureNet 
Provider Managers 



The SecureNet Provider Manager is a Windows-based Network Intrusion Detection 
System layer that enables you to use the information from SecureNet Sensors on the 
Microsoft Windows 2000 platform. If you will use SecureNet Provider Manager, you 
will need to enable communications and security between the SecureNet Provider 
Manager host and SecureNet Sensor. 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Configure 

Provider Managers link on the Provider Managers pane at the bottom of 
the page. 

The SecureNet Provider Manager Configuration page in Figure 3-38 
displays. 
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Figure 3-38 SecureNet Provider Manager Configuration Page 

The SecureNet Provider Manager Configuration page has three panes: 

The Provider Managers pane lets you add a new SecureNet Provider 
Manager. 
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The Provider Manager Type pane lets you specify the type of system(s) that 
will be set up for communications with SecureNet Sensors. 

The Provider Manager Certificates pane lets you locate and upload 
certificate files. 

Create a SecureNet Provider Manager 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page ( Figure 3-34 ) displays. 

Step 2 Click on the Configure Provider Managers link at the bottom of the page. 
The SecureNet Provider Manager Configuration page ( Figure 3-38 ) 
displays. 

Step 3 To add a Provider Manager, click on the Add a New Manager link. The 
Create a Provider Manager page in Figure 3-39 displays. 



Create a Provider Manager 



r Application T 
Setup | 



T o 



Create Provider Manager 




Figure 3-39 Create a Provider Manager Page 

Step 4 Type the IP address of the PC that is host for the SecureNet Provider 
Manager application in the IP Address field. 

Step 5 Type the port number to be used for connection to the Provider Manager 
host PC in the Port field. 

Step 6 Type the number of seconds after which an authorization attempt is to be 
cancelled due to inactivity or failure in the Auth Timeout field. 

Step 7 Type the number of minutes after which a session is to be terminated due 
to inactivity. 

Step 8 After you have typed appropriate values in each field, click on the Create 
button to save the Provider Manager information and create the new 
Provider Manager. 
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Configure SecureNet Provider Manager Type 

To use SecureNet Provider Manager with SecureNet Sensor, you will need to specify 
which components will receive data from sensors (Manager Type) and copy digital 
certificates to the appliance. 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Configure 

Provider Managers link on the Provider Managers pane at the bottom of 
the page. 

Step 3 To specify the Provider Manager Type, click on a radio button in the 
Provider Manager Type pane. Your selection will indicate the type of 
system that is to receive data from Sensors. 

Linux: Have the Linux -based SecureNet Linux Console to receive data 
from SecureNet Sensors. 

Windows: Have the Windows 2000-based SecureNet Provider Manager to 
receive data from SecureNet Sensors. 

Both: Have both the SecureNet Linux Console and the SecureNet Provider 
Manager receive data from SecureNet Sensors. 

Step 4 Click on the Update button to save the Provider Manager Type. 
Locate and Copy Provider Manager Certificates 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Configure 

Provider Managers link on the Provider Managers pane at the bottom of 
the page. 

Step 3 To locate certificate files on the hard drive of the PC connected to the 

appliance, click on the Browse button to choose the folder path where a file 
is located and then click on the filename to populate the Select field with 
the filename and path. Or, if you know the full path and filename, type it in 
the Select field. 

Step 4 Click on the Upload button when the correct path and filename for the 

certificate files is in the Select field. The files located on the PC are copied 
to the appliance. 

When the files are located, the appropriate field displays the message: 
Found. 
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Modify a Provider Manager 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 Click on the Configure Provider Managers link at the bottom of the page. 
The SecureNet Provider Manager Configuration page displays. 

Step 3 To modify a Provider Manager, click on the Modify link at the top of the 
page. The Modify Provider Manager page in Figure 3-40 displays. 
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Figure 3-40 Modify Provider Manager Page 

Step 4 Edit the IP address of the PC that is host for the SecureNet Provider 
Manager application in the IP Address field. 

Step 5 Edit the port number to be used for connection to the Provider Manager 
host PC in the Port field. 

Step 6 Edit the number of seconds after which an authorization attempt is to be 
cancelled due to inactivity or failure in the Auth Timeout field. 

Step 7 Edit the number of minutes after which a session is to be terminated due 
to inactivity. 

Step 8 After you have changed the appropriate values in each field, click on the 
Modify button to save the changed Provider Manager fields. 

The Daemon Control page shows the xinetd-controlled daemons (if any) 
and the netd-controlled daemons currently installed on the appliance. 

For each daemon listed, the page displays the current boot status (Will 
start on boot or Will not start on boot). 

You can "toggle" the status, that is, change the status to its opposite. Each 
daemon's current operational status (Running or Stopped) displays and 
you can toggle the status. Note that all running daemons have an additional 
option of restarting the daemon. 

Step 9 When you are finished viewing/changing the status of the daemons, click 
on Home to return to the PDS Pilot Main page. 
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Application Setup for 
SecureNet Sensor 




To perform the application setup, execute the following steps: 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. See Figure 3-34 . 

Note The information displayed on the SecureNet Sensor Configuration page 
depends on the applications and services you have installed. In the example in 
Figure 3-34 , the SecureNet Linux Console and Sensor (Engine) is installed. 
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Figure 3-41 SecureNet Sensor Configuration Page 

In this example, the SecureNet Configuration page has five panes. 

The upper pane (Versions) displays the SecureNet Sensor versions for the 
currently installed components. The content of this pane changes with 
product upgrades. 
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The second pane (License Key) displays the status of the SecureNet Sensor 
license key installation and, if the license key is not installed, it lets you 
install the key 

The third pane (Administrative Consoles) displays the currently defined 
SecureNet Sensor administrative consoles (if any) and lets you add, 
modify, or delete a console. 

The fourth pane (SecureNet Provider) lets you add and configure a 
SecureNet Provider Manager for use with SecureNet Sensor. 

The fifth pane (Control SNPd) displays the current SecureNet Sensor 
operating status and it lets you start or stop the application. The fifth pane 
also displays the current SecureNet Sensor boot status and it lets you 
enable or disable the initiation of SecureNet Sensor on reboot. 

Install License Key Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

The SecureNet Sensor Configuration page displays. 
Step 2 Click on the Install license key link on the lower pane. 

The License Key Update page displays. See Figure 3-37 . 



SecureNet Pro - License Key 
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Figure 3-42 License Key Update Page 

Step 3 In the text window, type the SecureNet Sensor license key exactly as 
provided to you by the Intrusion License Administrator. 

Step 4 Click on the Update button. 

The SecureNet Sensor Configuration page displays and shows the License 
Key as "found." 

The SecureNet Sensor Configuration page will include the link Display 
license key when you next view the page. You can use that link to view and 
edit the license key when updates are needed. 
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Add a New SecureNet Linux Step 1 If necessary, click on the Application Control link on the Main Page 



Console 



Navigation Bar. 

The Application Setup page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Add a new 
Console link on the second pane. 

The Create an Administrative Console page displays. See Figure 3-35 . 
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Figure 3-43 Create an Administrative Console Page 



Step 3 In the Name field, type a unique name for the new console. 

Step 4 In the IP Address field, type the address of the new console in dotted quad 
format. 




Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display characters as asterisks to prevent 
inadvertent disclosure. 



Step 5 In the Password field, use the guidelines noted above and type a unique 
password for the console. 

Step 6 In the Confirm Password field, type the password again exactly as you 
typed it in the Password field. 



3-56 



PDS Pilot v2.7 User Guide 



March 2003 




Note The encryption type for the SecureNet Linux Console must match the 
encryption type specified for the SecureNet Sensor(s) with which it will be 
communicating. 



Modify an Existing 
SecureNet Linux Console 



Step 7 To change the encryption type that the console will use, click on the 

Encryption Type field and then select an encryption type from the drop- 
down list (EXPORT, 3DES, BLOWFISH, DES). 

Step 8 In the Timeout field, enter the number of seconds that the console is 
allowed to be idle before it is automatically logged out. 

Step 9 Click on the Create button. 

The SecureNet Sensor Configuration page displays and shows the new 
console added to the list in the second pane. See Figure 3-34 . 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on Modify in the list in 
the second pane next to the console that you want to modify. 

The Modify an Administrative Console page displays. See Figure 3-36 . 
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Figure 3-44 Modify an Administrative Console Page 
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This page is identical to the Create an Administrative Console page (see 
Figure 3-35) except that it is populated with the parameters of the console. 
This page lets you edit those parameters. All the following steps are 
optional, except that if you do change anything, you must click on Modify 
button to activate the changes. 

Step 3 In the Name field, type a new unique name for the console. 

Step 4 In the IP Address field, type the new address of the Console in dotted quad 
format. 




Note The administrative console password must have eight or more alphanumeric 
characters. To enhance the security of the password, you can mix uppercase and 
lowercase characters. Password fields display all characters as asterisks to prevent 
inadvertent disclosure. 



Step 5 In the Password field, use the guidelines noted above and type a new 
password for the console. 

Step 6 In the Confirm Password field, type the new password again exactly as 
you typed it in the Password field. 




Note The encryption type for the SecureNet Linux Console must match the 
encryption type specified for the SecureNet Sensor(s) with which it will be 
communicating. 



Step 7 To change the encryption type that the console will use, click on the 

Encryption Type field and then select a new encryption type from the 
drop-down list (EXPORT, 3DES, BLOWFISH, DES). 

Step 8 In the Timeout field, edit the number of seconds that the console is allowed 
to be idle before it is automatically logged out. 

Step 9 Click on the Modify button. 

The SecureNet Sensor Configuration page displays and shows the selected 
console with new parameters. See Figure 3-34 . 

Delete an Existing To delete an existing SecureNet Linux Console, perform the following steps: 

SecureNet Linux Console 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on Delete for the 
console that you want to delete. 

The SecureNet Sensor Configuration page refreshes and shows the 
selected console deleted from the list in the second pane. See Figure 3-34 . 
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Configure SecureNet 
Provider Managers 



The SecureNet Provider Manager is a Windows-based Network Intrusion Detection 
System layer that enables you to use the information from SecureNet Sensors on the 
Microsoft Windows 2000 platform. If you will use SecureNet Provider Manager, you 
will need to enable communications and security between the SecureNet Provider 
Manager host and SecureNet Sensor. 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Pro Configuration page, click on the Configure 

SecureNet Providers link on the SecureNet Provider pane of the page. 

The SecureNet Provider Manager Configuration page in Figure 3-38 
displays. 
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Figure 3-45 SecureNet Provider Manager Configuration Page 

The SecureNet Provider Manager Configuration page has three panes: 

The Provider Managers pane lets you add a new SecureNet Provider 
Manager. 

The Provider Manager Type pane lets you specify the type of system(s) that 
will be set up for communications with SecureNet Sensors. 
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The Provider Manager Certificates pane lets you locate and upload 
certificate files. 

Create a SecureNet Provider Manager 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page ( Figure 3-34) displays. 

Step 2 Click on the Configure SecureNet Providers link. 

The SecureNet Provider Manager Configuration page ( Figure 3-38) 
displays. 

Step 3 To add a Provider Manager, click on the Add a New Manager link. The 
Create a Provider Manager page in Figure 3-39 displays. 
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Figure 3-46 Create a Provider Manager Page 

Step 4 Type the IP address of the PC that is host for the SecureNet Provider 
Manager application in the IP Address field. 

Step 5 Type the port number to be used for connection to the Provider Manager 
host PC in the Port field. 

Step 6 Type the number of seconds after which an authorization attempt is to be 
cancelled due to inactivity or failure in the Auth Timeout field. 

Step 7 Type the number of minutes after which a session is to be terminated due 
to inactivity. 

Step 8 After you have typed appropriate values in each field, click on the Create 
button to save the Provider Manager information and create the new 
Provider Manager. 
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Configure SecureNet Provider Manager Type 

To use SecureNet Provider Manager with SecureNet Sensor, you will need to specify 
which components will receive data from sensors (Manager Type) and copy digital 
certificates to the appliance. 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Configure 
SecureNet Providers link on the SecureNet Provider pane. 

Step 3 To specify the Provider Manager Type, click on a radio button in the 
Provider Manager Type pane. Your selection will indicate the type of 
system that is to receive data from Sensors. 

Linux: Have the Linux -based SecureNet Linux Console to receive data 
from SecureNet Sensors. 

Windows: Have the Windows 2000-based SecureNet Provider Manager to 
receive data from SecureNet Sensors. 

Both: Have both the SecureNet Linux Console and the SecureNet Provider 
Manager receive data from SecureNet Sensors. 

Step 4 Click on the Update button to save the Provider Manager Type. 
Locate and Copy Provider Manager Certificates 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 On the SecureNet Sensor Configuration page, click on the Configure 
SecureNet Providers link on the SecureNet Provider pane. 

Step 3 To locate certificate files on the hard drive of the PC connected to the 

appliance, click on the Browse button to choose the folder path where a file 
is located and then click on the filename to populate the Select field with 
the filename and path. Or, if you know the full path and filename, type it in 
the Select field. 

Step 4 Click on the Upload button when the correct path and filename for the 

certificate files is in the Select field. The files located on the PC are copied 
to the appliance. 

When the files are located, the appropriate field displays the message: 
Found. 
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Modify a Provider Manager 

Step 1 If necessary, click on the Application Setup link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 Click on the Configure SecureNet Providers link. The SecureNet Provider 
Manager Configuration page displays. 

Step 3 To modify a Provider Manager, click on the Modify link at the top of the 
page. The Modify Provider Manager page in Figure 3-40 displays. 
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Figure 3-47 Modify Provider Manager Page 

Step 4 Edit the IP address of the PC that is host for the SecureNet Provider 
Manager application in the IP Address field. 

Step 5 Edit the port number to be used for connection to the Provider Manager 
host PC in the Port field. 

Step 6 Edit the number of seconds after which an authorization attempt is to be 
cancelled due to inactivity or failure in the Auth Timeout field. 

Step 7 Edit the number of minutes after which a session is to be terminated due 
to inactivity. 

Step 8 After you have changed the appropriate values in each field, click on the 
Modify button to save the changed Provider Manager fields. 

Start/Stop SecureNet To start or stop SecureNet Sensor, perform the following steps: 

Sensor 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The SecureNet Sensor Configuration page displays. 

Step 2 To change the status, click on the Start SecureNet Sensor/Stop SecureNet 
Sensor link in the middle pane. 

The status changes to reflect your selection. 
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Toggle SecureNet Sensor The SecureNet Sensor Boot Status (will start on boot or will not start on boot) 

Boot Status displays in the middle pane. To toggle (switch the status to its opposite) the current 

SecureNet Sensor Boot Status, perform the following steps: 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

The SecureNet Sensor Configuration page displays. 
Step 2 To change the SecureNet Sensor Boot Status, click on Toggle Boot Status. 

The SecureNet Sensor Boot Status changes to reflect your selection. 



Daemon Control To control the daemons installed on the appliance, perform the following steps: 




Note The status of the VPN- 1/F ire Wall- 1 daemons cpboot, cpri_d, and fwlboot should not 
be changed. Use cpconfig or Application Control under Package Management to control these 
VPN- 1/Fire Wall- 1 daemons. 



Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
The Application Configuration page displays. 

Step 2 Click on the Daemon Control tab. 
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The Daemon Control page displays. See Figure 3-48 . 
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Figure 3-48 Daemon Control Page 

The Daemon Control page shows the xinetd-controlled daemons (if any) 
and the netd-controlled daemons currently installed on the appliance. 

For each daemon listed, the page displays the current boot status (Will 
start on boot or Will not start on boot). 

You can "toggle" the status, that is, change the status to its opposite. Each 
daemon's current operational status (Running or Stopped) displays and 
you can toggle the status. Note that all running daemons have an additional 
option of restarting the daemon. 

Step 3 When you are finished viewing/changing the status of the daemons, click 
on Home to return to the PDS Pilot Main page. 
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Configure DHCP Server 



The DHCP Server page lets you configure your appliance as a DHCP server. 




Caution Consider carefully whether you want to configure your appliance as a DHCP 
server; it can cause problems if another DHCP server is already on the network. Also, 
the DHCPD requires more disk space to operate and smaller appliances (PDS 1110 
and the PDS 2000 Series) have limited logging capabilities. 



To configure the DHCP Server, perform the following steps: 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the DHCP Server tab. If the DHCPD service is not installed, a 
page displays a link that you can use to install the service. 

If you installed the DHCPD service, the DHCP Server page ( Figure 3-49) 
displays. 
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Figure 3-49 DHCP Server Page 
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Change DHCPD Status 



Change DHCPD Boot 
Status 



Edit DHCP Global Options 



This page has six panes. The first pane displays the current DHCPD 
(Dynamic Host Configuration Protocol Daemon) status and lets you 
change the status. The second pane displays the DHCPD boot status and 
lets you change the status. 

The third pane displays the currently defined Global Options (if any) and 
lets you edit the options. The fourth pane displays the currently defined 
Subnets (if any) and lets you add Subnets. 

The fifth pane displays the currently defined Hosts (if any) and lets you add 
hosts. The sixth pane lets you view the current leases. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

Step 3 To change the status of DHCPD, click on the appropriate link (Start/Stop) 
in the first pane on the DHCP Server page (see Figure 3-49) . 

The Current DHCPD Status changes to reflect your selection. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

Step 3 To change the boot status of DHCPD, click on the appropriate link 
(Enable/Disable) in the second pane on the DHCP Server page (see 
Figure 3-49) . 

The DHCPD Boot Status changes to reflect your selection. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

Step 3 On the DHCP Server page (see Figure 3-49) , click on Edit Global 
Options. 
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The Edit Global Options page displays. See Figure 3-50 . 



Edit Global Options 





Netrnask: 


1 


Max Lease: 




Default Lease: 


1 


Domain Name: 




Nameservers: 





Listen Order 



Interface 


Network 


Listen 


Order 


ethl 


10.0.0.0 


|No z\ 


M 


eth2 


Not Configured 


|No zl 




eth3 


192.86.13.0 


|no jJ 


M 



Update Global Options 



Reset 



Return 



Home 



Figure 3-50 Edit Global Options Page 

This page has two panes. The upper pane lets you set global options for the 
DHCP server. The lower pane lets you specify which Ethernet interfaces 
that the DHCP server is to listen to and the order in which they are to be 
listened to. 

Step 4 In the Netmask field, type the default netmask for the subnets to be served 
by the DHCP server. 

Step 5 In the Max Lease field, type the maximum amount of time (in seconds) 
that an IP address can be leased. 

Step 6 In the Default Lease field, type the default amount of time (in seconds) 
that an IP address can be leased. 

Step 7 In the Domain Name field, type the name of the domain to be served by 
the DHCP server. 

Step 8 In the Nameservers field, type the IP address or name of the Domain 
Names Servers to be served by the DHCP server. 

Step 9 In the lower pane, specify the port(s) that the DHCP server is to listen to 
by clicking in the Listen field and selecting Yes or No from the drop-down 
menu. 
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Add a Subnet 



Step 10 If you specified two or more ports to be listened to, set the order in which 
they are to be listened to by clicking in the Listen field and selecting the 
order from the drop-down menu. 

Step 11 When you are finished setting the global options, click on the Update 
Global Options button. 

The DHCP Server page displays. See Figure 3-49 . 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

Step 3 On the DHCP Server page (see Figure 3-49) , click on the Add a Subnet 
link in the fourth pane. 

The Add New Subnet page displays. See Figure 3-51 . 
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Figure 3-51 Add New Subnet Page 

Step 4 In the Subnet field, type the IP address of the subnet that the server is to 
serve. 



Step 5 In the Netmask field, type the netmask to be applied to the subnet. 
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Add a Host 



Step 6 In the Broadcast field, type the broadcast to serve address. 

Step 7 In the IP Range field, type the range of IP addresses to serve. 

Step 8 In the Default Lease field, type the default amount of time (in seconds) 
that an IP address can be leased. 

Step 9 In the Domain Name field, type the name of the domain to be served by 
the DHCP server. 

Step 10 In the Nameservers field, type the IP address or name of the Domain 
Names Servers to be served by the DHCP server. 

Step 11 In the Routers field, type the list of routers to serve. 

Step 12 In the Submask field, type the netmask to be served (based on range). 

Step 13 When you are finished entering the subnet parameters, click on the Add 
Subnet button. 

The DHCP Server page displays with new subnet listed. See Figure 3-49 . 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

The DHCP Server page displays (see Figure 3-49) . 
Step 3 On the DHCP Server page, click on Add a Host in the fifth pane. 

The Add New Host page displays. See Figure 3-52 . 
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Figure 3-52 Add New Host Page 

Step 4 In the Host field, type the list of routers to serve. 

Step 5 In the HW Address field, type the hardware address of the host (MAC 
address). 

Step 6 In the Bootp Server field, type the name of the server that serve as the 
bootp image. 
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Step 7 In the Bootp File field, type the name of the file that contains the bootp 
parameters. 

Step 8 When you are finished defining the host to be added, click on the Add Host 
button. 

The DHCP Server page displays with new subnet listed. See Figure 3-49 . 

View DHCP Leases Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the DHCP Server tab. 

The DHCP Server page displays (see Figure 3-49) . 
Step 3 On the DHCP Server page, click on View Leases in the fifth pane. 

The current leases (if any) display. 
Step 4 When you are finished viewing the current leases, click on Return. 

The DHCP Server page displays. See Figure 3-49 . 



Configure DHCP Relay DHCP Relay allows for DHCP Client requests to be forwarded to a specific IP 

address. This is useful for communicating to DHCP servers on a different network 
segment. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Relay tab. 

The DHCP Relay page displays. See Figure 3-53 . 
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Figure 3-53 DHCP Relay Page 



This page displays the currently configured DHCP relays or a message to 
indicate that no relay is defined. Links on the page allow you to add a new 
DHCP relay instance and delete an existing DHCP relay. 
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Add a DHCP Relay Instance Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the DHCP Server tab. 
Step 3 To add an instance, click on Add in the lower pane. 
The Add Instance page displays. See Figure 3-54 . 
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Figure 3-54 Add Instance Page 

Step 4 Select the interface(s) that are to be DHCP relays by clicking on the 

checkboxes to select interface(s) that you want to be relays or to deselect 
interface(s) that you do not want to be relays. 

Step 5 In the Servers field, type the name(s) of the server(s) (separated with 
spaces) that the appliance will relay for. 

Step 6 In the PID file field, type the path and name of the process ID file. 

Step 7 Optionally, in the Port field, type the port number. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 
Step 2 Click on the DHCP Server tab. 

Step 3 To delete a DHCP relay instance, click on del to the right of the instance 
that you want to delete. 



The DHCP Relay page refreshes and the selected instance is deleted. 
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NTP Setup 



The NTP Setup page allows configuration of the appliance as a Network Time 
Protocol client. 




Note Network Time Protocol on PDS Pilot is not configurable as an NTP server. 
To configure the NTP setup, perform the following steps: 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the NTP Setup tab. 

If you have not installed the NTPD service, a page displays with a link that 
you can use to install the service. 

If you installed the NTPD service, the NTP Setup page displays. See 
Figure 3-55 . 
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Figure 3-55 NTP Setup Page 
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The first pane displays the current NTPD status and it lets you stop or start the NTP 
daemon. The second pane displays the current boot status and it lets you enable or 
disable the initiation of NTPD on reboot. The third pane displays the currently defined 
NTPD servers and peers, and it lets you delete a server/peer that you no longer need. 
The fourth pane lets you add a new NTPD server/peer. The lower pane lets you 
synchronize your appliance to a specified NTPD server. 
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Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the NTP Setup tab. 

The NTP Setup page displays. See Figure 3-55 . 

Step 3 To change the current NTPD status, click on the appropriate link (Start/ 
Stop) in the upper pane. 

The Current NTPD Status changes to reflect your selection. 

Step 4 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the NTP Setup tab. 

The NTP Setup page displays. See Figure 3-55 . 

Step 3 To change the NTPD boot status, click on the appropriate link (Enable/ 

Disable) in the second pane (the name of the link changes with the status). 

The NTPD Boot Status changes to reflect your selection. 

Step 4 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the NTP Setup tab. 

The NTP Setup page displays. See Figure 3-55 . 

Step 3 To add a new NTPD server/peer, click on the Add link in the lower pane. 

Step 4 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 

Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Step 2 Click on the NTP Setup tab. 

The NTP Setup page displays. See Figure 3-55 . 

Step 3 To delete an NTPD server/peer, click on the del link to the right of the 
server/peer that you want to delete. 

The NTP Setup page refreshes and the NTPD server/peer is deleted. 

Step 4 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 



700-0599-101 Rev. I 



3-73 



The Add NTPD Server/Peer page displays. See Figure 3-56 . 
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Figure 3-56 Add NTPD Server/Peer Page 

Step 5 Click on the NTPD Type field and select the type for the new server or 
peer. The choices are Server and Peer. 

Step 6 In the Host field, type the hostname or IP address (in dotted quad format) 
of the NTP host. 

Step 7 In the key field, type the authentication key for the specified NTP host. 

Step 8 In the version field, type the NTPD software's version. 

Step 9 For a server only, type the mode to be used in the mode field. 

Step 10 Click on the Prefer field and select whether the new server or peer is the 
preferred server/peer. The choices are Yes and No. 

Step 11 When you are finished entering the required information, click on the Add 
to NTPD button. 

The NTP Setup page displays and the new NTPD server/peer appears in the 
third pane. 

Step 12 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 
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Synchronize with Time Step 1 If necessary, click on the Application Control link on the Navigation Bar. 

Server 

Step 2 Click on the NTP Setup tab. 

The NTP Setup page displays. See Figure 3-55 . 

Step 3 To synchronize the NTPD client with a valid NTP server, type the IP 

address (in dotted quad format) for the server in the Server to Sync With 
field. 




Note Synchronization with an NTP service may be possible only if the system clock 
time is within one thousand seconds (approximately 16.67 minutes) of the time on 
the server. 



Step 4 When you have completed making changes for all NTP Setup options, 
click on the Activate Changes link under NTP Servers/Peers. 
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Package 
Management 



The Package Management page lets you perform software application and system 
updates. 

Step 1 If necessary, click on the Package Management link on the Navigation 
Bar. 

The Package Management page displays. See Figure 3-57 . 



Package Management 



Select function: 

• Install Package 
Install a single rprn package 

• Upgrade Packages 
Upgrade all packages 

• Install Services 
Install available services 




Figure 3-57 Package Management Page 

This page lets you perform package management functions. You can install 
a single RPM package, upgrade all RPM packages, or install services. 
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Install Package 



If you need to install a single package, perform the following steps from the Package 
Management page ( Figure 3-57) . 

Step 1 From the Package Management page, click on the Install Packages link. 
The Install Package page displays ( Figure 3-58) . 



Install Package 



! 



Install Package via APT 




For Example: 
ntp 
dhcp 




_ 



Apt Repository Location: rpm file :/pds . pds 
Click here to change 




Figure 3-58 Install Package Page (Top) 

Step 2 If you want to install the package using APT, use the top pane of the Install 
Package page ( Figure 3-58 ). In the Package Name field, type the name of 
the package to install from the APT Repository. 

Note If the location of the APT Repository has changed, click on the link (the word 
"here") in "Click here to change." Type the new location of the APT Repository. 



Step 3 Click on the Install/Upgrade via APT button to begin the installation from 
the specified location. 
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Step 4 If you want to install the package using RPM, use the bottom pane of the 
Install Package page ( Figure 3-59) . 



Install Package via RPM 




For Example: 

ftp :ffsitefdirfpackage-version. rpm 
http ://site/dir/package-version. rpm 
/dir/package-version.rpm 



Full Path and Package Name: 
Install/Upgrade via RPM 





Return Home 

Figure 3-59 Install Package Page (Bottom) 

Step 5 In the Full Path and Package Name field, type or edit the path and name 
string identify the location and name of the package to be installed. Refer 
to the appropriate manpages and use the format shown on screen. 

Step 6 Click on the Install/Upgrade via RPM button to begin the installation 
from the specified location. 
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If you need to upgrade all packages, perform the following steps from the Package 
Management page ( Figure 3-57) . 

Step 1 From the Package Management page, click on the Upgrade Packages link. 



Upgrade Package 



The Application Update page displays ( Figure 3-60) . 



Application Update 



Add an APT source URL: 

Format of valid URL: 

[[vendor]] uri distribution [component! ] [component2 ] [...] 
Examples: 

http://server.port/directory main contrib 
kttp://user.pass@server. port/directory main contrib 
ftp .-//server/directory directory/subdirectory 




Apt Sources 



Source URL 


Status 


Delete? 


file:/pds . pds 


Active <~ Inactive 


r 


ftp://12.148.143.138/pub/PDSUpdate Latest snp 


r Active (*■ Inactive 


r 


Apply Changes Reset 



Restore Initial APT Repository Locations 



Update applications 



Figure 3-60 Install Package Page 

This page lets you update the software on your PDS appliance and it lets 
you manage the sources from which the software updates are obtained. 

When this page is displayed the first time, it may initially display one or 
more locations for software updates. For example, if your appliance has an 
internal repository, it is listed. 

This page lets you add and delete sources, and it lets you activate/ 
deactivate individual sources. Because we are constantly improving our 
software, the software contained in those initial source locations will 
become outdated. Generally, when a new source with the latest versions of 
RPMs is available, you should add it to the list and you should deactivate 
or delete sources with older versions of RPMs. 
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When you perform an update, PDS Pilot updates RPMs using all the 
activated APT sources in the list. If an RPM is present in two or more 
places, PDS Pilot gets the RPM with the highest release number (latest 
version). 

Step 2 To add an APT source, type the URL for the APT source in the Add an 

APT source URL field and then click on the Add button. Refer to the URL 
formats shown in the on-screen examples. 

The new source is added to the Apt Sources table at the bottom of the page. 

Step 3 To delete an existing APT source, click on its Delete checkbox for the 
Source URL that you want to delete and then click on Apply Changes. 

Step 4 To restore the locations that were initially in the list, click on the Restore 
Initial Repository Locations button. Note that when you use this option, 
any sources that have been added to the list are removed and the initial 
locations are added back to the list. 

Step 5 To update the software applications on your appliance, click on the Update 
Applications button. 

The latest versions of the software contained in the activated APT sources 
are installed. 



Install Services If, during Staging, you did not install a service that you need, you can install the 

service from the Package Management page ( Figure 3-57) . 




Note The list of services that display may not match the figure shown in this 
procedure. The services listed on the page varies depending on the model of the 
appliance you are configuring. 



Step 1 From the Package Management page, click on the Install Services link. 

A list of the available services displays as shown in Figure 3-61 . For 
services that have not been installed, a checkbox displays to the left of the 
service and its description. For each service that is already installed, a 
message displays instead of a checkbox. 
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Install Services 




Click the checkboxes for the service(s) you wish to install. 



r 



Then click the Install Service(s) button below. 

Install callback_icom 1.0.0-5 
A set of Intrusion Inc. policies for mgetty. 



r Install dhcp l:2.0pl5-4pds 

A DHCP (Dynamic Host Configuration Protocol) server and relay agent. 

V Install keepalived 0.6\3-2pds 

The KeepAlive/VRRP Daemon 



r Install ntp 4. 0. 99k- 1 5pds 

Synchronizes system time using the Network Time Protocol (NTP). 

V Install ucd-snmp 4.2.3-2pds 

A collection of SNMP protocol tools. 

\~ Install xinetd 2.3.3-1. lpds 

A secure replacement for inetd. 

V Install zebra 0.91a-4pds 

Routing daemon 



Step 2 Click on the checkboxes for the services you want to install. 

Step 3 Click the Install Service(s) button to start installation. 

The installation screen for the selected services displays. Installation of 
services may require several minutes for completion. 




Install Seivice(s) 



Reset 



Figure 3-61 Services Installation Page 
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Appendix A 



Software Recovery 

This appendix provides the procedures for recovering your appliance if you should 
have a problem with it and need to restore it to a known state. 

Read this entire appendix to get a general understanding of how the procedures work. 
Many steps have to be performed quickly to prevent the processing of a default action. 

Depending on the severity of the problem, you have several choices from which you 
can choose the most appropriate procedure to perform. In determining which 
procedure you should perform, consider the level of the corruption suspected and start 
at that point. 

• If the software on your system has been corrupted, but YOU CAN BOOT the 
appliance from its hard drive, you can recover the software image from one of 
several sources. 

• If the software on your system has been corrupted and YOU CANNOT BOOT the 
appliance from its hard drive, you can initiate software recovery by booting from 
the PDS Appliance Software CD (5300, 5500, and 7000 models only), you can 
recover the software image from one of several sources (not just the CD). 

• If the software on your system has been corrupted, YOU CANNOT BOOT the 
appliance from its hard drive, and your appliance does not have a CD-ROM 
reader, you must contact Intrusion Technical Support to determine how to 
proceed. 

You have the following sources from which you can recover the software: 

• PDS Appliance Software CD (5300, 5500, and 7000 models only) 

• Repository on the hard drive (2300, 2400, 5000, and 7000 models only) 

• Repository on an FTP server or an HTTP server (all models including PDS 1 100 
and 2100 originally imaged with PDS Pilot v2.4 or later) 



Note To recover the software image or reinstall the PDS Pilot software on a 
PDS 1 100 or PDS 2100 that originally imaged with PDS Pilot software with a version 
lower than 2.4, you must return the appliance to Intrusion or to the place of purchase 
for re-imaging. For more information, call the Intrusion Technical Support Group toll- 
free at 1-888-637-7770. 
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Reinstall PDS Pilot To recover your software image, perform the following steps: 

Softwar6 ImaCJ© Reboot from Recovery CD 

Step 1 Set up the PDS appliance connection for "command line" control and 

display If necessary, connect a dumb terminal or a terminal emulator to the 
serial port on the appliance 



-OR-- 



connect a PS/2 keyboard and video monitor to the ports on the front of the 
appliance. 

Step 2 If your PDS appliance is capable of being booted from its internal hard 
drive, go to Step 6 . 



--OR-- 



If your appliance is not capable of being booted from its internal hard drive 
and it has a CD-ROM reader, go to Step 3 . 

Step 3 Insert the PDS Appliance Software CD into the CD-ROM reader, and then 
power up the appliance by setting the Power switch on the front or rear of 
the appliance to the ON position. 

A message warning you that the installation of the software from the CD 
will completely erase the contents of your hard disk displays. This is 
followed by a boot: prompt. 

Step 4 To identify your current connection to the command line interface, type: 

kvm or serial 

and then press [Enter]. 

The "serial" option applies to connection of a dumb terminal or a terminal 
emulator to the serial port. 

Step 5 Go to Step 10 . 
Reboot from Hard Drive 

Step 6 Reboot the appliance by logging in and then typing reboot 



--OR-- 



reboot the appliance by pressing the recessed Reset button on the front or 
rear of the appliance. 

When the appliance reboots, the GRUB (GRand Unified Bootloader) 
displays. 

Step 7 Watch for the Press any key prompt (it displays five times) and then 
quickly press [Enter] (within five seconds). 

A menu of installation choices appears. The menu does not appear if you 
missed pressing [Enter] with the 5-second period. In that case, go back to 
Step 6 and reboot the appliance again. 
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Note In the following step, select the Install PDS Pilot (Serial Console) option only 
if you are using the appliance with a serial console (a dumb terminal or a PC with a 
terminal emulator connected to the serial port of the appliance). 

Step 8 Using the arrow keys, select the appropriate installation option for your 
appliance (for example, select Install PDS Pilot (KVM Console) 
for PDS 5xxx with keyboard, video monitor, and mouse ports) and then 
press [Enter]. 

A password prompt displays. 

Step 9 Type the following password: 

wipedisk 

and then press [Enter]. 

Step 10 A prompt for the installation source displays. Type one of the following: 
disk 
cdrom 

http://<network address> (for example: http://10.23.43.6/PDS Pilot 
ftp://<network address> (for example: ftp://ftp.myco.com/PDS_PUot 
and then press [Enter]. 

Step 11 If you entered disk or cdrom as the source for the software, go to Step 14 . 

Note In the following step, if you specify auto (meaning that the address will be 
automatically assigned by a DHCP server), a DHCP server must be able to assign an 
address to the PDS. The DHCP server typically needs to be on the same network as 
the PDS. 



Step 12 If you entered an HTTP or FTP address as the source for the software, a 
prompt requesting the network interface to be used displays. Type auto or 
ethjc where x is the number of the Ethernet port to be used for connection 
to the source. 

Step 13 If you entered an ethernet port as the connection to the source, a prompt for 
the network address, net mask, and gateway displays. Enter the requested 
IP address, netmask, and gateway addresses. (You can leave the netmask 
and gateway addresses blank if you want to.) 




Note In the following step, for SecureNet 7100 products that have SCSI drives, you 
must specify PDS7100 but, for SecureNet 7100 products that have IDE drives, the 
correct entry is: 

pds5700 rsynchost=/dev/hda 



Step 14 You are prompted for the model name of the appliance. Enter the 
appropriate model name as listed below: 

pdsll05 
pdslllO 
pds2105 
pds2110 
pds2300 

pds2400 (more) 
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pds5100 
pds5300 
pds5400 
pds5500 

pds5700 rsynchost=/dev/hda 

pds7100 

pds7200 

pds7300 

and then press [Enter]. 

Step 15 Wait for the software installation to complete. Be patient. This takes about 
five minutes (length of time may vary). 

When software installation finishes, a reboot prompt displays and, if you 
installed the software from a CD, the CD ejects from the CD-ROM reader. 
GRUB runs again as the bootloader. 




Note Step 16 and Step 17 are optional. The unit will continue to boot in serial console 
mode (as opposed to KVM mode) without user intervention. You only need to "Start 
Pilot KVM" if you want to watch the boot up process. The end result of both methods 
is the localhost login prompt ( Step 18) . 



Step 16 Watch for the Press any key prompt (it displays five times) and then 
quickly press [Enter] (within five seconds). A list of installation options 
displays. 

If you missed pressing [Enter] within the 5-second period, reboot the 
appliance and go back to the beginning of Step 16 . 

Step 17 Using the arrow keys, quickly highlight the appropriate option (must match 
your earlier selection) and press [Enter]. 

Your selection begins installation. 

Step 18 Wait for your selection to finish installing and for the Linux localhost login 
prompt to display. 

Step 19 When prompted, type root as the username and then press [Enter], and 
then type password as your password and then press [Enter]. 

Software installation from the image on disk is complete. 

Step 20 Go to " Staging " to restage the appliance using the staging setup. When 
restaging is complete, dismantle the staging setup and then go to 
" Configuration " to reconfigure the appliance as needed. 
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Appendix B 



Building a Software Repository 

This appendix describes how to set up a remote repository of PDS Pilot software for 
performing software maintenance. Intrusion provides a remote software repository on 
the Intrusion corporate ftp site ( ftp.intrusion.com) . Also, Intrusion appliances in the 
2300, 2400, 5000, and 7000 series have built-in software repositories on their internal 
hard drives. 



Software Repository 
Use 




Users with a few appliances may find it convenient to update software from the 
Intrusion ftp site. 

Note PDS 1 100 and PDS 2100 appliances do not have an internal repository, so you 
must use the repository on our ftp site to update those appliances. 

If you need to maintain a large number of appliances deployed for an enterprise or a 
Managed Service Provider (MSP), it can be beneficial to create and use a centralized 
software repository. You can create a centralized software repository using the PDS 
Appliance Software CD from the documentation packs for Intrusion appliances or 
using additional package management software provided by Intrusion or other 
vendors. The software contained on the software CD is applicable for all Intrusion 
appliance series. 




Note Establishing a remote repository requires the use of a Web (HTTP) server or 
FTP server to host the repository. The details of setting up the Web server or FTP 
server are not included in this document. The instructions in this appendix assume that 
a Web Server or FTP Server has been deployed and that the system administrator/ 
security analyst has the appropriate privileges and knowledge required to add files and 
subdirectories to the server. 
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Create thG Repository Use the PDS Appliance Software CD to create the software repository by performing 

the following steps: 

Step 1 Place the PDS Appliance Software CD in the CD drive of any computer 
that can read ISO 9660-formatted CDs (with Rock Ridge, El Torrito, or 
Joliet extensions) and has network access to the HTTP or FTP server that 
will host the repository. 

Step 2 Copy all the files and directories in the directory X:/PILOT to any directory 
accessible by the HTTP server or FTP server, where X is the drive letter of 
the CD-ROM drive in which you placed the CD. 




Note For the purposes of this documentation, it is assumed the files and directories 
have been copied into a subdirectory named /Repository under the root directory of 
the HTTP server or FTP server. 



Access the 
Repository 



After you create the repository, perform the following steps to access it as required for 
PDS maintenance or software updates: 

Step 1 Log in to PDS Pilot (the Web Management GUI of the appliance). 

Step 2 Click on the Package Management link on the navigation pane. 

Step 3 Click on the Change Default APT Repository Location link. 

Step 4 If the repository is hosted on an HTTP server, enter the following 
command in the text box labeled URL: 

rpm http : / / <user>: <password>@<server>: <port> <path 
to /PILOT/> pds 

-OR-- 

rpm http: / / <server>: <port> <path to /PILOT/> pds 

Step 5 If the repository is hosted on an FTP server, enter the following command 
in the text box labeled URL: 

rpm ftp : / / <user>: <password>@<server> <path to 
/PILOT/> pds 



-OR-- 

rpm f tp : //<server>: <port> <path to /PILOT/> pds 

Any Intrusion appliance operations that require the repository will now be 
able to access the repository you created. 
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Appendix C 



Using the Console Port 

This appendix describes how to connect to a Linux shell on the PDS appliance to enter 
text commands. If the PDS appliance has keyboard and video monitor connections 
(for example, PDS 5315 and PDS 5515 appliances), you can connect those devices 
and enter commands directly If the appliance does not have keyboard and video 
monitor connections (for example, PDS 2315 and PDS 5115 appliances), you must 
connect to the Linux shell through the console port using either a dumb terminal 
(VT 100-compatible) or a personal computer (PC) with terminal emulator software. 
PDS 7100, PDS 7200, and PDS 7300 series appliances include a rear serial port 
designed for use as a console port. 



Set Up a Terminal 
Emulator 




Intrusion PDS 1000, PDS 2000, and PDS 5000 series appliances allow you to connect 
to a Linux shell on the appliance using a terminal emulator. Perform the following 
steps to set up a terminal emulator: 

Step 1 Gather the following items: 

• a PC with a terminal emulator such as HyperTerminal for Windows 
(included in most Windows installations) or Minicom for Linux (included 
in most Linux distributions) 

• a 9-pin null modem cable 

• a 9-pin gender changer female-to-female (if necessary) 

Step 2 If necessary, connect the 9-pin gender changer to one end of the null 
modem cable. 

Step 3 Connect one end of the null modem cable to the serial (console) port on the 
appliance. 

Step 4 Connect the other end of the null modem cable to a serial port on the PC. 
Note the identity of the serial port so that you can configure it for 
communication. 

Note To execute the minicom command on a Linux computer, you must be logged 
in as root. 

Step 5 Start the terminal emulator by executing the appropriate command 

(hypertrmfor HyperTerminal for Windows or mini com for Minicom for 
Linux). 
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Step 6 Refer to the terminal emulator's documentation for the appropriate 

commands for viewing/editing the communications parameters. Make sure 
the parameters are set as follows: 



HyperTerminal 


Minicom 


Serial port: COM1, COM2, COMx 


A - Serial device: /dev/ttySl 


Terminal emulation: VT100 


B - Lockfile location: /var/lock 


Flow control: Hardware 


C - Callin Program: <blank> 


Baud rate: 38400 


D - Callout Program: <blank> 


Number of bits: 8 


E - Bps/Par/Bits: 38400 8N1 


Parity: None 


F - Hardware Flow Control: No 


Number of stop bits: 1 


G - Software Flow Control: Yes 



Step 7 Press [Enter] to initiate communication with the PDS console. 

A login prompt displays. 
Step 8 Log in to the appliance as the root user. 



Use a Console With To use a console by connecting a terminal emulator to the serial port of a PDS 7100, 

PDS 71 00/7200/7300 PDS 7200 ' or PDS 7300 series a PP liance > perform the following steps: 

Gather the following items: 

• a PC with a terminal emulator such as HyperTerminal for Windows 
(included in most Windows installations) or Minicom for Linux (included 
in most Linux distributions) 

• an RJ45-to-DB9 adapter cable labeled "DSR-Peripherals" (included with 
your PDS) 

• a null-modem cable 

Connect the RJ45 end of the cable to the appropriate serial (console) port 
on the appliance (RJ45 serial port on rear of appliance, not the Emergency 
Management Port on the front of the appliance). 

Connect the DB9 end of the cable to the null-modem cable and then plug 
that cable into a serial port on the PC on which you are running terminal 
emulation software. Note the identity of the serial port so that you can 
configure it for communication. 

Note To execute the minicom command on a Linux computer, you must be logged 
in as root. 



Step 4 Start the terminal emulator by executing the appropriate command 

(hypertrmfor HyperTerminal for Windows orminicomfor Minicom for 
Linux). 



Models step i 



Step 2 
Step 3 
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Step 5 Refer to the terminal emulator's documentation for the appropriate 

commands for viewing/editing the communications parameters. Make sure 
the parameters are set as follows: 



HyperTerminal 


Minicom 


Serial port: COMx 


A - Serial device: /dev/ttySx 


Terminal emulation: VT100 


B - Lockfile location: /var/lock 


Flow control: Hardware 


C - Callin Program: <blank> 


Baud rate: 38400 


D - Callout Program: <blank> 


Number of bits: 8 


E - Bps/Par/Bits: 38400 8N1 


Parity: None 


F - Hardware Flow Control: No 


Number of stop bits: 1 


G - Software Flow Control: Yes 



Step 6 Press [Enter] to initiate communication with the console connected to the 
appliance: 

A login prompt displays. 
Step 7 Log in to the appliance as the root user. 
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Appendix D 



PCI Card Support 

This appendix describes the Peripheral Component Interface (PCI) cards that have 
been tested for support with the PCI slots included in some PDS appliances. 

All of these cards are automatically configured by the PDS operating system on boot. 



Supported PCI Card The supported cards are listed in Table D-1 . 

Types 

Table D-1 Card Types Supported for PDS Appliances with PCI Slots 



Manufacturer 


Model Number 


Card Type 


Maximum Number 


PDS 5315/5515 


Intel 


Sensor/ 1 00 S Dual Port 


Dual 10/100 NIC 


3 


Sangoma 


S5141 


X.21/V.35 


3 


Broadcom 


BCM95805 


VPN Accelerator 


1 


Phobos 


P430TX 


Quad 10/100 NIC 


4 


PDS 7215/PDS 7315 


Adaptec 


ANA-62044 


Quad 10/100 NIC 


4 


Intel 


PRO/1000 T 


Gigabit Copper NIC 


4 


Intel 


PRO/1000 F 


Gigabit Fiber NIC 


4 


Intel 


PRO/1000 XT 


Gigabit Copper NIC (Low 
Profile) 


4 


Intel 


PRO/1000 XF 


Gigabit Fiber NIC (Low 
Profile) 


4 


Broadcom 


BCM95821 


VPN Accelerator 


1 


Phobos 


P430TX 


Quad 10/100 NIC 


4 




Note Although some Intrusion appliances contain PCI cards that provide standard 
Ethernet interfaces, no additional PCI cards are supported. 



700-0599-101 Rev. I 



D-1 



D-2 PDS Pilot v2.7 User Guide March 2003 



INTRUSION^ 



Appendix E 



Configuring VRRP 

This section provides information you will need to configure VRRP (Virtual Router 
Redundancy Protocol). 

The Virtual Router Redundancy Protocol daemon is an open source program that 
enables failover capabilities for routers and firewalls. The service can be installed by 
selecting it on the Install Services page during appliance staging, or during appliance 
configuration. 



Install VRRP To install VRRP, perform the following steps: 

Step 1 To install the VRRP service (its daemon name is keepalived) during 
appliance staging, refer to "Perform Staging" . 

To install the VRRP service (its daemon name is keepalived) during 
appliance configuration, refer to "Install Services" . 

Step 2 After installing the service, stop the keepalived daemon to prepare for 
configuration. For more information refer to "Daemon Control" . 




Note For more information about the daemon keepalived, go to 
http://keepalived.sourceforge.net 
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Configure VRRP 



To configure VRRP on a PDS appliance, perform the following steps: 
Step 1 Log into PDS Pilot. 

The PDS Pilot Main page displays. See Figure E-l . 



m 



INTRUSION 

^ INC. 

• * 

^tf/////////////////,,, 






User Narne:f 
Password^ 



1 




Figure E-1 PDS Pilot Main Page 



Step 2 In the Navigation Bar, click on Application Control and then click on the 
VRRP tab. 
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The VRRP Configuration page displays. See Figure E-2 . 




Router ID Interface 



New Router Name Interface Selection 

| ethl zj 



submit 



Reset 



Figure E-2 VRRP Configuration Page 

Step 3 In the New Router Name text field, enter a unique name for this router. In 
this example, router 1 will be used. 

Step 4 Leave the Interface Selection set at ethl. 

Step 5 Click on the Submit button. 

The VRRP Router Added Page page displays. See Figure E-3 . 




Router ID router 1 added successfully 



VRRP Configuration 



Router ID 


Interface 




router 1 


ethl 


delete 



New Router Name Interface Selection 



submit 



Reset 



* | ethl z\ 




Figure E-3 VRRP Router Added Page 

The green message at the top of the page indicates the router was added 
successfully. 
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Step 6 Click on the newly created Router name link. 

The Edit Router page displays. See Figure E-4 . 



VRRP 



pplication 
Setup 



Daemon 
Control 



I I 



| VRRP J 



VRRP Configuration :: Edit routerl 
VRRP Instance Name 
Interface 
Virtual Router ID 
Priority 

Virtual IP Addresses 



Monitor Interfaces 
Format: 'interface name ' 'delta value 
Example: etkl 25 




Submit | Reset | 




Step 7 
Step 8 
Step 9 
Step 10 

Step 11 
Step 12 



Figure E-4 Edit Router Page 

In the Virtual Router ID field, enter the virtual router ID. 
In the Priority field, enter the priority. 

In the Virtual IP Addresses field, enter the virtual IP address of ethl. 

In the Monitor Interfaces fields, enter the values of the monitored 
interfaces. 

Click on the Submit button. 

Repeat Step 3 through Step 11 for the eth2 and eth3 interfaces. Our 
example uses the following values: 



Router Name: 
Virtual Router ID: 
Priority: 

Virtual IP Addresses: 
Monitor Interfaces: 



router2 

52 

90 

<variable> 
ethl 25, eth3 25 



router3 

53 

90 

<variable> 
ethl 25, eth2 25 



Step 13 
Step 14 



When you have finished configuring all three interfaces, go to Step 14 . 
Start the keepalived daemon as described in "Daemon Control" . 
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Appendix F 



Generating SNMP Traps 

The mon program allows you to configure network monitoring to generate SNMP 
traps. This program becomes available after you have staged your appliance. 

By customizing SNMP trap definitions in the configuration file mon.cf and setting up 
the alert capabilities, you can configure custom SNMP trap and alert operation. You 
will need to specify custom arguments (like SNMP version, management station IP 
address, community string, and trap numbers) to set up SNMP trap alerts. Refer to the 
manpages for the snmptrap program by typing the following command at the 
command line: 

man snmptrap 

Z~ Caution Use of the mon program consumes system resources and can affect 

/ A\ appliance operation. For example, running mon on a PDS 1 100 may affect the VPN/ 

/ I \ firewall throughput. Or, on a PDS 1 100, if the CPU is processing excessive VPN/ 
/ • \ firewall traffic, mon intervals for monitoring (for SNMP trap alerts) may be longer 
than the value set. 
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Installing mon 



To install mon, perform the following steps: 

Step 1 Log in to the appliance to get to the PDS Pilot Main Page. 

Step 2 From the Package Management page, click on the Install Packages link. 
The Install Package via APT page displays ( Figure F-l) . 



Install Package 



Install Package via APT 



For Example: 
ntp 
dhcp 



Package Name: 




Install/UpgradeviaAPT 



Apt Repository Location: rpm file :/pds . pds 
Click here to change 




Figure F-1 Install Package Page (Top) 

Step 3 In the Package Name field, type the following package name: 
mon 

Step 4 Click on the Install/Upgrade via APT button to begin the installation. 

After you install the program, you can configure the mon.cf configuration 
file as described in "Configuring mon" . 

Note You can also install mon by running the following command from the Linux 
command line: 

apt-get install mon 
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Conf igil ri ng mon You can edit the configuration file mon.cf (located at /etc/mon) to configure mon to 

generate SNMP trap messages that meet your needs. The file contains commented 
lines that start with "#" that you can customize with your information and then 
"uncomment." 

Each sample SNMP trap definition in mon.cf starts with a monitor function and ends 
with a service function. The snmp. alert service passes arguments to the snmptrap 
program to handle alerting for each trap definition. 

To ensure that you edit the files correctly, refer to the examples in the mon.cf file 
comments. Refer to the manpages provided with mon by typing the following 
command at the command line: 

man mon 



PDS Pilot 2.7 supports the SNMP traps listed in Table F-l : 

Table F-1 SNMP Trap Descriptions 



Description 


Monitor Function 


Interface Status 


iface status. monitor 


Storage Utilization 


disk usage.monitor 


CPU Utilization 


cpuusage.monitor 


Memory Utilization 


mem usage.monitor 


Check Point Daemon Status 


process running.monitor 


Dropped Inbound Packets 


dropped_inc_packet.monitor 


Failed Login Attempts 


login failure.monitor 



700-0599-101 Rev. I 



F-3 



F-4 PDS Pilot v2.7 User Guide March 2003 



INTRUSION j 



Appendix G 



Glossary of Terms and 

Abbreviations 



10/100BaseT 
administrator 

APT 

autologout 

Blowfish 

callbackicom 
call-back number 



Ethernet LAN standard that has limiting distance of 1 00 meters per segment and a peak 
transmission speed of 10 Mbps or 100 Mbps. See also Ethernet and Fast Ethernet. 

A person who is permitted to access the client side of the firewall, that is, the administrator will 
be allowed to use the graphical user interface (GUI) client to configure the software installed 
on the PDS. 

Advanced Package Tool, a software manager that can be used to install, maintain, and update 
the software on a system. 

Refers to the function that automatically logs a command line (bash) session out after a 
specified period of inactivity. The timeout period can be set to any amount of time you want. 
See also TMOUT. 

A secret-key block cipher with a 64-bit block size and a variable-length key (from 32 to 
448 bits). Blowfish can serve as a drop-in replacement for DES. 

A set of Intrusion customized policies for mgetty. 

A phone number that is included in the authorized list of call-back numbers and can be dialed 
by a modem to allow " out-of-band " access to a remote user dialing into the modem user 
account. 



category 5 wiring 



Data-grade unshielded twisted-pair (UTP), capable of transmission rates up to 155 Mbps. See 
also UTP. 
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crossover cable 



DB9 

DES 



DHCP 



For Ethernet cabling from hub to hub, from Xcvr to Xcvr, the transmit and receive pairs must 
be reversed. 




Pins 1 and 2 at B must be a twisted pair wired through to pins 3 and 6, respectively, at A. Pins 3 
and 6 at A must be a twisted pair wired through to pins 1 and 2, respectively, at B. See straight- 
through cable. 

A standard 9-pin D-connector used for multi-point communication. 

Data Encryption Standard, a block cipher, symmetrical algorithm (extremely fast) that uses the 
same private 64-bit key for encryption and decrypting. This is a 56-bit DES Cipher Block 
Chaining (CBC) with Explicit IV. CBC requires an initialization vector to start encryption. The 
IV is explicitly given in the IPSEC packet. See also triple DES. 

Dynamic Host Configuration Protocol, a protocol for assigning dynamic IP addresses to 
devices on a network. With DHCP, a device can have a different IP address each time it 
connects over a network. 



dhcp_l:2.0pl5-4pds 



dotted quad 



DNS 



Ethernet 



Failover 



A service that allows a device to dynamically "lease" an IP address from a pool of addresses, 
instead of requiring the device to have a fixed IP address. This is ideal for devices like laptops, 
which will not be connected to the network at all times. Go to http://www.isc.org/dhcp.html for 
detailed information on configuring and using this service. See also service. 

A format for representing 32-bit binary IP addresses in decimal notation. Each quad represents 
8 bits (8X4 = 32) and can have a decimal value of 0 through 255. The quads are separated by 
periods (dots), for example, 123.123.123.0 

Domain Name System, the Internet's standard for naming a host, and a hierarchical system of 
domain name servers to resolve host names into IP addresses (for example, radguard . com 
to 192.168.1.50). DNS is primarily a distributed database of host information. DNS name 
servers resolve computer names to IP address mapping queries. 

A local-area network (LAN) protocol that uses a bus or star topology and supports data transfer 
rates of 10 to 100 Mbps. 

A backup operational mode in which the functions of a system component (such as a processor, 
server, network, or database, for example) are assumed by secondary system components when 
the primary component becomes unavailable through either failure or scheduled down time. 
Used to make systems more fault-tolerant, failover is typically an integral part of mission- 
critical systems that must be constantly available. The procedure involves automatically 
offloading tasks to a standby system component so that the procedure is as seamless as possible 
to the end user. 
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Fast Ethernet 



Fast Ethernet has an Ethernet hub with an internal bus that runs at 1 00 Mbps. Workstations and 
hubs are connected using datagrade UTP and category 5 wiring. See also 10/ 100BaseT. 



firewall 



A combination of software/hardware that limits exposure of a network to outside intrusion. A 
network-level firewall (packet filter) examines traffic at the network level. An application level 
firewall examines traffic at an application level (for example, FTP, Email, or Telnet) and can 
readdress outgoing traffic so it appears to originate from the firewall, rather than from an 
internal host. 



freeswan_1.9-2pds 



A Linux service that provides IPSEC functionality which uses strong cryptography to provide 
both authentication and encryption services. Authentication ensures that packets are from the 
right sender and have not been altered in transit. Encryption prevents unauthorized reading of 
packet contents. The "pds" in the service name indicates that this is a version of an Open 
Source Linux service that has been customized for the Intrusion PDS Pilot. Go to http:// 
www, frees wan, org for detailed information on configuring and using this service. See also 
service and IPSec. 



gateway 



A network point that acts as an entrance to another network. In a company network, a proxy 
server acts as a gateway between the internal network and the Internet. A gateway may also be 
any machine or service that passes packets from one network to another network in their trip 
across the Internet. 



IP 

IPSec 



LAN 



mgetty 

ntp 4.0.99k-15pds 



Internet Protocol, see TCP/IP. 

Internet Protocol Security. A set of protocols developed by the Internet Engineering Task Force 
(IETF) to allow the secure exchange of packets at the IP layer. Sending devices and receiving 
devices share a public key for encryption and an IPSec-compliant device on the receiving side 
decrypts each packet. 

Local Area Network, a communications network that spans a limited geographical area. A 
LAN enables sharing of disks, files, printers, and other resources. The LAN provides the 
computer user with the opportunity to communicate with other users. The LAN consists of a 
network cable linking the computers and nodes and the Network Operating System. 

A Linux service that allows you to make optimum use of your modem or fax modem in a Linux 
environment. 

A Linux service that provides Network Time Protocol functionality to the PDS. NTP keeps 
computer clocks in synchronization. It works by a client (the PDS) connecting to a time server, 
working out the delay between them (on a LAN it might be only 1 -2 msec, whereas across the 
internet it might be several hundred milliseconds), and then it asks for the time and sets its own 
clock. Go to http://www.cis.udel.edu/~ntp for detailed information on configuring and using 
this service. See also service. 



PCI 



Peripheral Component Interface. The 32-bit bus architecture that is widely used in Pentium- 
based personal computers. A PCI bus provides a high-bandwidth data channel between system 
board components such as the CPU and devices such as hard disks, video adapters, and 
network interface cards (NICs). 
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pdssnmpsupport 



A plug-in for snmpd, a Linux service that provides Simple Network Management Protocol 
(SNMP) functionality for the PDS. The "pds" in the service name indicates that this is a version 
of an Open Source Linux service that has been customized for the Intrusion PDS Pilot. Go to 
http ://www. netsnmp . org/ for detailed information on configuring and using this service. See 
also service and SNMP. 



out-of-band 



A method of accessing a PDS using a different path from normal traffic. A PDS with a modem 
permits out-of-band access using a custom script and call-back numbers. A user dials into the 
modem account, enters the password, and then enters a callback number when prompted. If the 
" call-back number " is on the list of authorized numbers, the modem calls back at the specified 
number and the user can manage the PDS from a command line. 



RJ-45 



An 8-pin Registered Jack connector used for data transmission over standard telephone wire. It 
comes in versions for flat or twisted wire. 



rsync_2.4.6-2pds 



A Linux service that lets your PDS act as a file synchronization server or client. The rsync 
service is used to mirror files on the PDS with files on a web server, preserving file 
permissions, links, file times and more. The "pds" in the service name indicates that this is a 
version of an Open Source Linux service that has been customized for the Intrusion PDS Pilot. 
Go to http ://rsync. samba. org/rsync/ for detailed information on configuring and using this 
service. See also service. 



service 



In Linux, a software application that provides functionality in a particular area. For example, a 
routing service (such as zebra) manages TCP/IP based routing protocols. Services can be added 
or removed as required to provide the functionality that you need for your application. Services 
that are not needed can be disabled to reduce the risk of intrusions into the network. 



sendmail_8.ll.2-14.lpds A Linux service that lets your PDS act as a mail server. The sendmail service is the de facto 

standard Internet mail server. The "pds" in the service name indicates that this is a version of an 
Open Source Linux service that has been customized for the Intrusion PDS Pilot. Go to 
http://www.sendmail.org/ for detailed information on configuring and using this service. See 
also service. 



SNMP 



Simple Network Management Protocol, a software standard that network management 
applications use to remotely monitor, maintain, and configure network devices such as TCP/IP- 
based networks. 



pdssnmpsupport 



A plugin for snmpd, a Linux service that provides Simple Network Management Protocol 
(SNMP) functionality for the PDS. The "pds" in the service name indicates that this is a version 
of an Open Source Linux service that has been customized for the Intrusion PDS Pilot.Go to 
http :// www. netsnmp . org/ for detailed information on configuring and using the snmpd service. 
See also service and SNMP. 



SSH 



Secure Shell, a means of communicating between two computers using an encrypted 
connection. 



SSL 



Secure Sockets Layer technology, the industry-standard method for protecting web 
communications. SSL was developed by Netscape Communications Corporation to enable 
digital certificates to encrypt data. The SSL security protocol provides data encryption, server 
authentication, message integrity, and optional client authentication for a TCP/IP connection. 
Because SSL is built into all major browsers and web servers, simply installing a digital 
certificate turns on their SSL capabilities. 
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static route 



A route that is preset and automatically loaded into a routing table. The static routes take 
precedence over routes chosen by all dynamic routing protocols. 



straight-through cable For Ethernet cabling from Hub to Xcvr, the transmit and receive pairs must be straight-through. 




Pins 1 and 2 must be a twisted pair. Pins 3 and 6 must be a twisted pair. See crossover cable. 

subnet mask In the Internet Protocol addressing scheme, a group of selected bits whose values serve to 

identify a subnetwork. All members of the subnetwork share the mask value. Packets not 
destined for the subnetwork are routed elsewhere. 



TCP/IP Transmission Control Protocol/Internet Protocol, two interrelated protocols that are part of the 

Internet protocol suite. TCP operates on the OSI Transport Layer and breaks data into packets. 
IP operates on the OSI Network Layer and routes packets. 

TMOUT The command line shell variable for the bash: autologout time. The no activity timeout function 

is manipulated by editing the shell script tmout.sh, located in the directory /etc/profile.d, where 
you change the value "TMOUT=600" (which by default is set to 600 seconds or 10 minutes) to 
any value in seconds that you want. For example, for a 1 -minute timeout, you would edit the 
value to "TMOUT=60" and, for a 20-minute timeout, you would edit the value to 
"TMOUT=1200". Autologout is disabled by setting "TMOUT=0". The new value becomes 
active after you log out and then log back in. 

triple DES Also 3DES. A security enhancement to Data Encryption Standard (DES) that employs three- 

successive single-DES block operations. Using two or three unique DES keys, this increases 
the system's resistance to known cryptographic attacks by increasing the effective key length. 

UDP User Datagram Protocol, a connectionless protocol that runs on top of IP networks like TCP. 

However, UDP offers few recovery services; it provides a direct way to send and receive 
datagrams over a network. UDP is used mainly to broadcast messages. 

URL Uniform Resource Locator filtering, an address in a standard format that locates files 

(resources) on the Internet and the Web. 

UTC Universal Time Coordinated. A time scale that couples Greenwich Mean Time, which is based 

solely on the Earth's inconsistent rotation rate, with highly accurate atomic time. When atomic 
time and Earth time approach a one second difference, a leap second is calculated into UTC. 

UTP Unshielded Twisted Pair, a type of data cable used in interconnecting communications devices. 

The cables have four twisted pairs of wires; a total of eight wires. 

V.35 An interface used on Data Terminal Equipment (DTE) and Data Communication Equipment 

(DCE) that connects to high speed digital carrier services. 



700-0599-101 Rev. I 



G-5 



VRRP Virtual Router Redundancy Protocol daemon. The VRRP protocol dynamically assigns virtual 

routers to work with VRRP routers that run the VRRP protocol on a LAN. This arrangement 
enables multiple routers on the same multiaccess link to use the same virtual IP address. One 
router is elected the master router for the configuration, and the other routers serve as backups 
in case the master fails. Go to the VRRPd home page at: http://w3.arobas.net/~jetienne/vrrpd/ 
index.html for more information. 



X.21 A digital signalling interface used between customer equipment and carrier equipment. 

XDM X-Display Manager. A service that provides a graphical login interface to bring up the X server 

and prompt for user name and password information. Go to http://www.xfree86.org for detailed 
information on configuring and using this service. See also service. 



xinetd_2.1.8.9prel4-6pds A Linux service that is designed to provide secure Internet functionality for the PDS. The "pds" 

in the service name indicates that this is a version of an Open Source Linux service that has 
been customized for the Intrusion PDS Pilot. Go to http://synack.net/xinetd for detailed 
information on configuring and using this service. See also service. 
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Appendix H 



Upgrade Appliance 
to Latest Release 

This procedure provides the specific steps to be performed to upgrade your Intrusion 
security appliance to the latest release of PDS Pilot software and SecureNet Sensor 
(formerly SecureNet Pro, or SNP). PDS Pilot consists of a hardened operating system, 
a Web-based Management GUI (Graphical User Interface), applications, system 
services, and device drivers. 




Important! The appliance you are upgrading must have Internet connectivity and 
access through firewalls for file transfer using anonymous FTP 



Perform the following steps immediately upon completing installation of your new 
appliance and on a periodic basis to ensure that your appliance has the latest PDS Pilot 
software. 

Determine your Current Version of PDS Pilot 

To determine the current version of PDS Pilot on your appliance, perform the 
following steps: 

Step 1 Log in to the PDS Pilot Web Management GUI. 

Step 2 Determine the version of PDS Pilot currently on the appliance by looking 
at the upper left corner of the main PDS Pilot page. The following text 
displays: 

Intrusion PDS Pilot version x.y(z) 
where x.y(z) indicates the release number. 




Note If your appliance is not running PDS Pilot 2.x, contact your sales representative 
or place of purchase for information regarding upgrades. 



Step 3 If the PDS Pilot release is "2.1" or "2.2", go to Step 4 on page H-2 . 
-OR- 

If the release is "2.3" or "2.3 Service Pack 1", go to Step 5 on page H-3 . 
-OR- 

If the release is "2.3 Service Pack 2", skip to Step 6 on page H-3 . 
-OR- 

If the release is "2.4", skip to Step 7 on page H-4 . 
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Any Appliance with PDS Pilot 2.1 or 2.2 




Note When updating an appliance from release 2. 1 or 2.2, you must perform this 
procedure to the end. This means that you will be performing five upgrades. The first 
upgrade will bring your appliance's PDS Pilot up to release 2.2 Service Pack 1. The 
second upgrade will bring your PDS Pilot up to release 2.3. The third upgrade will 
bring your PDS Pilot up to release 2.3 Service Pack 2. The fourth upgrade will bring 
your PDS Pilot up to release 2.4. The fifth upgrade will bring your PDS Pilot up to 
release 2.7. 



Step 4 To upgrade from PDS Pilot release 2. 1 or 2.2, perform the following steps: 

a. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

b. Click on the Update Applications tab. 




Important! Be sure to enter the path shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 



c. In the text box, type the following path: 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/ 
Historical~Pilot2 .2SP1 (2) ~pds 

d. Click on the Update button. 




Important! Error messages will be seen during this process that refer to the file 
/etc/sources, list. The upgrade is only partially complete at this point, so continue with 
this procedure. 



Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



e. Click on the Return link. 

You will now see the Update Applications screen different compared 
to the one displayed in Substep b. above. This is due to the partial 
upgrade that has already occurred. 

f. Click on the Use An Alternate APT Repository radio button to select 
it. 

g. In the text box, type the following path (including the spaces which are 
indicated by an overbar character ( )): 

rpm"ftp://12 .148.143 .138/pub/PDSUpdate/ 
Historical~Pilot2 .3(2) ~pds 

h. Click on the Update button. 

You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

i. Click on the OK button in the Reboot dialog box. 

j. Your appliance has been updated to release 2.3. Go to Step 5 . 
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Any Appliance with PDS Pilot release 2.3 (including v2.3 with Service Pack 1) 

Step 5 If the PDS Pilot release number is "2.3" or "2.3 Service Pack 1," perform 
the following steps: 

a. Log in to the PDS Pilot Web Management GUI. 

b. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

c. Click on the Update Applications option. 

d. Click on the Use An Alternate APT Repository radio button to select 
it. 

e. In the text box, type the following path (including the spaces which are 
indicated by an overbar character ( )): 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/Historical" 
Pilot2 .3SP2 (8)~pds 

f. Click on the Update button. 




Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

g. Click on the OK button in the Reboot dialog box. 

h. The appliance will complete the upgrade and reboot. Wait 
approximately 3 to 5 minutes before attempting to log back into the 
appliance. 

i. Your appliance has been updated to release 2.3 Service Pack 2. Go to 
Step 6 . 

Any Appliance with PDS Pilot release 2.3 Service Pack 2 

Step 6 If the PDS Pilot release number is "2.3 Service Pack 2," perform the 
following steps: 

a. Log in to the PDS Pilot Web Management GUI. 

b. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

c. Click on the Update Applications option. 

d. Click on the Use An Alternate APT Repository radio button to select 
it. 




Important! Be sure to enter the path shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 



e. In the text box, type the following path: 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/Historical" 
Pilot2 .4 (7) "pds 

f. Click on the Update button. 
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Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

g. Click on the OK button in the Reboot dialog box. 

h. The appliance will complete the upgrade and reboot. Wait 
approximately 3 to 5 minutes before attempting to log back into the 
appliance. 

The PDS appliance is now upgraded to PDS Pilot v2.4(7). Go to Step 7 . 
Any Appliance with PDS Pilot Release 2.4 

Step 7 If the PDS Pilot release number is "2.4" (including all service packs), 
perform the following steps: 

a. Log in to the PDS Pilot Web Management GUI. 

b. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

c. Click on the Update Applications option. 

d. Click on the Use An Alternate APT Repository radio button to select 
it. 



Important! In the following step, the path field should already be populated with the 
correct information. The last 3 characters "snp" and "pds" are for SecureNet 
appliances and Check Point firewall appliances, respectively. Be sure the path shown 
in this procedure is exactly as shown (including spaces, which are indicated by an 
overbar character ( )). 



e. If necessary, type the following path in the text box: 

ftp : //12 . 148 . 143 . 138/pub/PDSUpdate"Latest"pds 

-OR- 

f tp : //12 . 148 . 143 . 138/pub/PDSUpdate"Latest"snp 

f. Click on the Update button. 




Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

g. Click on the OK button in the Reboot dialog box. 

Step 8 The appliance will complete the upgrade and reboot. Wait approximately 3 
to 5 minutes before attempting to log back into the appliance. 

The PDS appliance is now upgraded to the latest release of PDS Pilot. 
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Upgrade PDS Pilot/Check Point 

to Latest Release 

This procedure provides the specific steps to be performed to upgrade your Intrusion 
security appliance to the latest release of PDS Pilot software. PDS Pilot consists of a 
hardened operating system, a Web-based Management GUI (Graphical User 
Interface), applications, system services, and device drivers. 



Important! The appliance you are upgrading must have Internet connectivity and 
access through firewalls for file transfer using anonymous FTP. 

Upgrading a PDS with NG SmallOffice is not currently supported in the PDS 
Pilot 2.7 release; upgrade support will be added in a future release. 



The RainWall high availability application is not supported in PDS Pilot 2.7. 
Upgrading to PDS Pilot 2.7 is not recommended for appliances with RainWall. 

Instructions for downloading files by name and navigating the Check Point web site 
were correct at the time of document publication. However, filenames and websites 
may change. In the event of changes, contact Check Point for up-to-date filenames and 
downloading instructions. 



Perform the following steps immediately upon completing installation of your new 
appliance and on a periodic basis to ensure that your appliance has the latest PDS Pilot 
software: 

Upgrade Check Point Packages to FP3 (Not for SmallOffice Builds) 

You must upgrade the Check Point RPM packages separately before performing the 
upgrade to PDS Pilot 2.7. Perform the following steps to upgrade the Check Point 
packages: 

Step 1 Stop the firewall and stop connections. Enter the following commands at 
the Linux command line: 

cpstop 

fw unload localhost 

Step 2 Determine which new FP3 Check Point packages you will need to procure 
based on the configuration you are upgrading. 
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If you have Enterprise NG, but do not have the performance pack, you will 
need to upgrade the standard Enterprise NG FP3 Check Point RPM 
packages. The standard Enterprise NG Check Point RPM packages are: 

CPshrd (SVN Foundation) 

CPfwl (VPN-l/FW-1) 

If you have Enterprise NG and the Performance Pack, you will also need 
to upgrade the SecureXL performance pack RPM packages: 

CPppak (SecureXL Performance Pack) 

If you have a VPN accelerator card, you will also need to upgrade the RPM 
package for it: 

CPacc2 (Check Point VPN-1 Accelerator Card II Version 1.0) 

Note RPM packages are implemented as RPM files. The RPM files are contained in 
compressed tar ("tarball") files that can be downloaded from the Check Point 
download site. 

You will need to navigate to the appropriate location on the Check Point site for 
downloading, and access to download pages requires Check Point account and 
password entry. For example, to find the appropriate files, you may need to progress 
through links or pages as follows: 

Services and Downloads>Downloads>Software Subscription Downloads 



Step 3 Open a web browser and go to http ://www. checkpoint . c om to download the 
files for the Check Point packages you need to upgrade. Navigate to the 
appropriate locations for the packages you need to upgrade: 

a. If you need to upgrade packages for the standard Enterprise NG RPM 
files, navigate to Downloads>VPN-l/FireWall-l Next Generation 
(Linux Any FP3). 

Click on the SVN Foundation link to download the tarball containing 
the CPshrd RPM. The filename for the tarball file is: 
cpshared_NG_FP3_53267_l_Linux.tgz 

Click on the VPN-l/FW-1 link to download the tarball containing the 
CPfwl RPM. The filename for the tarball is: 
fwl_NG_FP3_53225_4_Linux.tgz 

b. If you need to upgrade packages for the SecureXL Performance Pack 
RPM files, navigate to Downloads>Performance Pack Next 
Generation (SecurePlatform FP3 Any FP3). 

Click on the SecureXL Performance Pack link to download the 
tarball containing the CPppak RPM. The filename for the tarball is: 
ppak_NG_FP3_5322 llLinux.tgz 

c. If you need to the upgrade package for a VPN Accelerator card, navigate 
to Downloads>VPN-l Accelerator Card II Next Generation (Linux 
Any FP3). 

Click on the VPN-1 Accelerator Card II Download link. The 

filename for the tarball is: 

vpna_II_B0009_l_Linux.tgz 
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Step 4 Transfer the downloaded Check Point tarballs to the firewall. You can use 
a file transfer protocol such as ftp or scp to transfer the files. We suggest 
that you transfer the files into the directory /tmp. 




Important! Be sure to type the paths shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 



At the Linux command line, use the following command to unpack each 
Check Point tarball that you downloaded: 
tar xvzf <tarball_filename> 

Where <tarball_filename> is the name of the RPM file for the package you 
need to upgrade. We suggest that you unpack the tarballs in the directory 
/tmp directory. Files can be unpacked as shown in the following examples. 

For upgrading standard Enterprise NG RPM packages: 

tar _ xvzf _ cpshared_NG_FP3_532 67_l_Linux. tgz 

tar~xvz f ~f wl_NG_FP3_5 322 5_4_Linux . tgz 

For upgrading Performance Pack and VPN Accelerator Card RPM 
packages: 

tar~xvz f ~ppak_NG_FP3_5 322 l l Linux . tgz 
tar xvzf vpna_II_B0 00 9_l_Linux. tgz 

For more information concerning the use of the tarballs for upgrading to 
FP3, refer to the following document: 

http://www.checkpoint.com/support/downloads/docs/firewalll/ng/fp3/ 
IndividualInstallations.pdf 

Step 5 Upgrade the standard Enterprise packages. Enter the following commands 
at the Linux command line: 

rpm~-Uvh~CPshrd-50-03 . i386 . rpm 

rpm~-Uvh~CPfwl-50-03 . i386 . rpm 

Some informational message may be generated. These messages can be 
ignored. 

Step 6 Remove the old standard Enterprise packages. Enter the following 
commands at the Linux command line: 

rpm -e --noscripts CPfwl-50-00 

rpm -e --noscripts CPshrd-50-00 

Step 7 If you are upgrading the Performance Pack RPM package, enter the 
following commands at the Linux command line: 

rpm~-Uvh~CPppak-50-03 . i386 . rpm 

rpm~-e~- -noscripts CPPPack-00-22 
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Step 8 If the VPN accelerator card driver is to be upgraded, enter the following 
commands at the Linux command line: 

rpm~-Uvh~CPacc2-10-00 . i3 8 6 . rpm 

rpm -e --CPcrpt 

Step 9 Enter the following command to copy the new Check Point startup file over 
the old one: 

cp~/opt/CPf wl - 50 - 03 /boot/f wlboot~/etc/init . d 

Step 10 Reboot the system. Enter the following command at the Linux command 
line: 

reboot 

Go to " Determine your Current Version of PDS Pilot" and the appropriate 
sections that follow to perform the upgrade to PDS Pilot 2.7. 

Step 11 After performing the PDS Pilot 2.7 upgrade, enter the following command 
to remove Check Point files that are not required with the new packages: 

chkconfig --del fwlpreinet 

reboot 

Step 12 Reinitialize secure internal communications. Enter the following 
command at the Linux command line: 

cpconf ig 

A menu displays. Choose Option 7 to resend your hostname to the 
certificate server. 

Step 13 If you upgraded packages for the Performance Pack, choose Option 10 to 
enable Secure XL. 

Step 14 Bring up the policy editor application and re-install your security policy. 
(Your policy is still present, but needs to be reinstalled.) 

Determine your Current Version of PDS Pilot 

To determine the current version of PDS Pilot on your appliance, perform the 
following steps: 

Step 1 Log in to the PDS Pilot Web Management GUI. 

Step 2 Determine the version of PDS Pilot currently on the appliance by looking 
at the upper left corner of the main PDS Pilot page. The following text 
displays: 

Intrusion PDS Pilot version x.y(z) 
where x.y(z) indicates the release number. 




Note If your appliance is not running PDS Pilot 2.x, contact your sales representative 
or place of purchase for information regarding upgrades. 
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Step 3 If the PDS Pilot release is "2.1" or "2.2", skip to Step 4 on page 1-5 . 
-OR- 

If the release is "2.3" (including all service packs), skip to Step 5 on 

page 1-6 . 

-OR- 

If the release is "2.4", skip to Step 7 on page 1-6 . 
Any Appliance with PDS Pilot 2.1 or 2.2 

Note When updating an appliance from release 2. 1 or 2.2, you must perform this 
procedure to the end. This means that you will be performing three upgrades. The first 
upgrade will bring your appliance's PDS Pilot up to release 2.3 Service Pack 2. The 
second upgrade will bring your PDS Pilot up to release 2.4. The third upgrade will 
bring your PDS Pilot up to release 2.7. 



Step 4 To upgrade from PDS Pilot release 2. 1 or 2.2, perform the following steps: 

a. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

b. Click on the Update Applications tab. 

Important! Be sure to enter the path shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 



c. In the text box, type the following path: 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/ 
Historical"PILOT2 . 3~pds 

d. Click on the Update button. 

/V\ Important! Error messages will be seen during this process that refer to the file 

/ I \ /etc/sources, list. The upgrade is only partially complete at this point, so continue with 
/ J \ this procedure. 



Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



e. Click on the Return link. 

You will now see the Update Applications screen different compared 
to the one displayed in Substep b. above. This is due to the partial 
upgrade that has already occurred. 

f. Click on the Use An Alternate APT Repository radio button to select 
it. 

g. In the text box, type the following path (including the spaces which are 
indicated by an overbar character ( )): 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/Historical" 
Pilot2 .3SP2 (8)~pds 

h. Click on the Update button. 
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You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete, 
i. Click on the OK button in the Reboot dialog box. 

j. Your appliance has been updated to release 2.3 Service Pack 2. Go to 
Step 5 . 

Any Appliance with PDS Pilot release 2.3 Service Pack 2 

Step 5 If the PDS Pilot release number is "2.3 Service Pack 2," perform the 
following steps: 

a. Log in to the PDS Pilot Web Management GUI. 

b. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

c. Click on the Update Applications option. 

d. Click on the Use An Alternate APT Repository radio button to select 
it. 

Important! Be sure to enter the path shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 

e. In the text box, type the following path: 

rpm"f tp : //12 . 148 . 143 . 138/pub/PDSUpdate/Historical" 
Pilot2 .4 (7) "pds 

f. Click on the Update button. 

Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 

You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

g. Click on the OK button in the Reboot dialog box. 

Step 6 The appliance will complete the upgrade and reboot. Wait approximately 
3 to 5 minutes before attempting to log back into the appliance. 

The PDS appliance is now upgraded to PDS Pilot v2.4(7). Go to Step 7 . 
Any Appliance with PDS Pilot Release 2.4 

Step 7 If the PDS Pilot release number is "2.4" (including all service packs), 
perform the following steps: 

a. Upgrade the Check Point packages to FP3. 

b. Log in to the PDS Pilot Web Management GUI. 

c. In the navigation pane of the PDS Pilot main window, click on the 
Package Management link. 

d. Click on the Update Applications option. 

e. Click on the Use An Alternate APT Repository radio button to select 
it. 
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Important! Be sure to enter the path shown in this procedure exactly as shown 
(including spaces, which are indicated by an overbar character ( )). 



f. In the text box, type the following path: 

ftp : //12 . 148 . 143 . 138/pub/PDSUpdate"Latest"pds 

g. Click on the Update button. 




Note You may receive error messages that the upgrade site is not available or 
reachable. If this occurs, it may be related to Internet availability. Try again later. 



You will receive a dialog box indicating the appliance will reboot 
when the upgrade is complete. 

h. Click on the OK button in the Reboot dialog box. 

Step 8 The appliance will complete the upgrade and reboot. Wait approximately 
3 to 5 minutes before attempting to log back into the appliance. 

The PDS appliance is now upgraded to the latest release of PDS Pilot. 
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Appendix J 



Useful Linux Diagnostic Tools 

This appendix provides a list of some standard Linux diagnostic tools that can be used 
from a command line to help you troubleshoot various problems with your PDS 
appliance. 




Note Documentation for these diagnostic tools can be found by entering the following 
command at the command line: 
man <command> 



ping This command can be used to test connectivity between the PDS and another host or 

gateway. The ping command sends out ICMP echo request messages to elicit ICMP 
echo response messages. This command provides multiple options for controlling 
transmission of the echo requests, and the handling of the response messages received. 
The messages are sent to the IP address that you specify. As output, the messages that 
are generated as a result of sending the ICMP requests display. 

traceroute This command can be used to determine the route between the PDS and another host 

or gateway. When entering this command, you specify the IP address of the 
destination. Probe messages are sent to determine the route of the network hops 
leading to that destination. The traceroute command provides multiple options for 
controlling the transmission of the probe messages. 



tracepath This command is similar to traceroute. However, only one probe message per network 

hop is sent with tracepath. Also, tracepath does not resolve the names of the 
intermediate network hops. Compared to traceroute, tracepath should return results 
faster. 



mii-tool This command can be used to view and manipulate interface status of an Ethernet port. 

The command communicates with the Mil (Media Independent Interface) unit on the 
network interface. The Mil is involved with the negotiation of link speed and the 
duplex setting. This command provides multiple options for controlling the Mil and 
displaying status information. For example, you can enable, disable, or restart 
autonegotiation. 

mtr This command combines the functionality of the traceroute and ping commands. It 

investigates the connectivity and route of network hops between the PDS and another 
host or gateway. It also attempts to determine the quality of the link to each network 
hop. The mtr command provides multiple options for controlling the transmission of 
the probe messages and for controlling the output. 
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Note The mtr program is not loaded by default. The RPM file is available on the PDS, 
but this is not installed by default. If this tool is desired, you can install it from the PDS 
Pilot GUI. 

To install the mtr program, refer to " Install Package " on page 3-77 of this user guide. 
Use mtr as the name of the package to install. 
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Appendix K 



Verifying Check Point 
Software Integrity 

This appendix provides the procedures that you can perform to ensure the integrity of 
the Check Point NG files on your PDS appliance. 



OVGTVieW MD5 checksums are computed on the PDS under test, and then compared to the 

authoritative ones computed at the factory. 

The initial set of files on the PDS is established when the PDS is "imaged" at the 
factory. Imaging is the process by which the contents of the hard drive are completely 
reset to factory settings. At imaging time, a "local repository" is constructed. The local 
repository is comprised of the set of directories where program installation files are 
stored. It contains the set of RPM files that are provided for installation on the PDS. 
The Check Point NG installation files are placed into the local repository of the PDS 
when the PDS is imaged. 

Note that the Intrusion web site for PDS upgrades does not contain Check Point RPM 
files. If you decide to upgrade the Check Point RPMs to a newer version, you must 
retrieve those files directly from the Check Point web site. 

Thus, to determine the integrity of the Check Point RPM files on the PDS that are 
deliverables from Intrusion Inc., the files in the local repository of the PDS must be 
tested. 

The integrity tests are comprised of these procedures: 

• You download file(s) from the secure Intrusion FTP site at ftp://ftp.intrusion.com/ 
pub/CC-Checksums . This includes the authoritative set of MD5 checksums of the 
Check Point installation files, as shipped from the factory. The downloaded 
content also contains instructions on how to use the checksums. 

• You compute checksums for the Check Point installation files on the PDS under 
test. You run the "md5sum" program, available on the command line on the PDS, 
against the Check Point installation files. 

• You compare the set of checksums computed at the PDS under test with the 
authoritative set of checksums (computed at the factory). 

The following sections provide procedures for each release of PDS Pilot that contains 
Check Point NG. Note that much of this information is also provided on the Intrusion 
FTP site. 



700-0599-101 Rev. I 



K-1 



Release-Specific 
Testing 



Before you can verify the Check Point NG installation files for a specific release, the 
installed version of the PDS must be determined. To determine the installed version of 
the PDS, perform the following steps: 



Step 1 Go to the command line of the PDS under test. 

Step 2 Enter the following command: 

cd /pds/RPMS .pds; Is intrusion-release* 

Running this command should yield one line of output. The output line 
presents a file name that is used in the next step. 

The example shown in Figure K-l depicts entering the command at the 
command line interface. The example starts with the bash- 2 . 0 . 4# 
command prompt: 



bash-2.04# cd /pds/RPMS 


.pds; 


Is intrusion-release* 


intrusion-release-2 .3.3 


-2pds 


noarch . rpm 


bash-2 . 04# 







Figure K-1 Getting Release Information 



At the command prompt, you would enter the command (shown in bold 
characters in Figure K-l ). The command result is output (shown in italic 
characters in Figure K-l ). Upon command completion, the command 
prompt redisplays. 

Use the file name in the output line to determine the installed version. The 
table below shows a mapping between the file name and the installed 
release. 



File Name 


Installed Release 


intrusion-release-2. 7.0-7pds.noarch.rpm 


2.7 (<build number>) 



The following subsection(s) present integrity tests to be performed on the PDS 
appliance. The set of tests to be used is based on the installed version determined 
above. 
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PDS Pilot Release 2.7 
(<build number>) 



In PDS Pilot Release 2.7, the Check Point NG RPM files are contained in a directory 
on the PDS. Some of the files are RPM files, and some of the files are compressed tar 
files ("tarballs"). The names of the Check Point NG files are: 



• CPshrd-50-03.i386.rpm (SVN Foundation, FP3) 

• CPfwl-50-03.i386.rpm (FireWall-l/VPN-1, FP3) 

• CPppak-50-03.i386.rpm (NG FP3 Performance Pack) 

• vpna_II_B0009_l_Linux.tgz (VPN- 1 Accelerator Card II) 

The integrity of the Check Point NG RPM files can be determined by verifying the 
MD5 checksums for them. The checksums for the files should match the values shown 
in the following table: 



File to Perform Checksum On 


Authoritative Checksum 


CPshrd-50-03.i386.rpm 


1 d5 1 2aafff6049054c79 1 6697ff 1 1 9cd 


CPfwl-50-03.i386.rpm 


16cl2d333b853e389925183cala54c31 


CPppak-50-03.i386.rpm 


Cl2b0c8191f7485d9794fel Iefb76a54 


vpna_II_B0009_l_Linux.tgz 


3678c51dl0eb252209ef2f5df8c51338 



To verify the integrity of the Check Point NG RPM files in this release, perform the 
following steps: 

Step 1 Download the verification files from the URL: 
ftp ://ftp. intrusion. com/pub/CC-Checksums 

The downloaded information contains the authoritative set of MD5 
checksums for this release. You will compare this with information 
displayed at the command line in the next step. 

Step 2 Go to the command line of the PDS under test and enter the following 
command: 

cd /pds/RPMS . app; md5sum * 

Running this command yields multiple lines of output, one line for each 
file processed. Each line presents an MD5 checksum and the file name for 
which it was computed. 
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The following is an example of performing the command at the command 
line interface. The example shown in Figure K-2 starts with the 
bash- 2 . 0 . 4# command prompt: 



bash-2.04# cd /pds/RPMS . app; md5sum * 



16cl2d333b853e3 89925183cala54c31 
bd462163flbd9c23 6c836fecb3236f24 
3d3942bd6a23a3bfll2 0a039e2a54bc2 
Cl2b0c8191f74 85d9794fellefb76a54 
Id512aafff6049054c7 916697 ffll9cd 
68dd3 80e281b56563f065133a9b4bdaa 
941b410878ec774bd2e29e07d0862 0e7 
40208ffccb694a6fd8543cb744780a4b 
3 678c51dl0eb252209ef2f5df8c51338 
bash-2 . 04# 



CPfwl-50-03 . i386.rpm 
CPfwl_smo-50-02 . ±386 .rpm 
CPhttpd-1-52508 . ±386 .rpm 
CPppak-50-03 . ±386 .rpm 
CPshrd-50-03 . ±386 .rpm 
CPshrd_smo-50-02 . ±386 .rpm 
cp±nfo_smo- 52 022 -2cp .±386. rpm 
jre-1 . 3 . 1_01 . ±386 . rpm 
vpna_II_B0009_l_L±nux. tgz 



Figure K-2 Getting PDS Pilot Release 2.7 (<build number>) Checksums 



At the command prompt, you enter the command (shown in bold characters 
in Figure K-2) . The command result is output (shown in italic characters in 
Figure K-2) . Upon command completion, the bash-2 . 0 . 4# command 
prompt redisplays. 




Important! There may be files that display in the command line interface output that 
are not present in the verification information. You can simply ignore these files. 



Use the verification information downloaded from the Intrusion web site 
to ensure that each file has the correct checksum. If there is a discrepancy, 
contact Product Support at Intrusion Inc. using the contact information at 
the front of this user guide or at http ://www. intrusion. com 
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ITSEC E3 Secure 
Delivery 



Secure Delivery 



ITSEC E3 Secure Delivery ensures that the software delivered is an authentic product 
that is ready for registration with the manufacturer. The details in the following 
sections explain how the packaging design ensures that the software shipped is 
tamper-proof and legitimate. 

Check Point ships its products in formal company packaging that clearly indicates the 
product type and manufacturer. The package provided includes documentation and a 
media kit designed to ensure secure delivery of the software. 

• The media kit and user documentation is shrink-wrapped both for physical 
protection and to provide additional assurance that the contents have not been 
tampered with. 

• If the CD-ROM is not shrink-wrapped, do not trust the content and contact your 
dealer. 

Intrusion ships its products in formal company packaging that clearly indicates the 
product type and manufacturer. The supplied packaging includes documentation and 
a media kit. Intrusion packaging is designed to ensure secure delivery of the software. 

• The media kit and user documentation is shrink-wrapped both for physical 
protection and to provide additional assurance that the contents have not been 
tampered with. 

• If the CD-ROM is not shrink-wrapped, do not trust the content and contact your 
dealer. 



Verification 



As part of the installation procedure of VPN- 1/FireWall- 1 , it is necessary to enter your 
Check Point license details. If license details are not requested as part of the 
installation process do not use the product; it is not a legitimate copy. See the Check 
Point Getting Started Guide for detailed instructions about how to obtain licenses. 



Important! The permanent license required to install the product will only be 
provided to you once the product is registered on Check Point's Web Site. Registration 
will require entry of user details along with a unique Certificate Key which is provided 
on the Check Point CD-ROM case. 



The Certificate key is a complex combination of alphanumeric characters which could 
not easily be identified via a trial and error process. Check Point audits all changes to 
this license entry to prevent such attacks and to ensure a legitimate entry is not 
overwritten. 

If the software has already been registered, then this will be indicated during the 
registration process. If this happens, contact your Check Point dealer immediately. 
After you enter the license key, a message displays to indicate the product type that for 
the key entered. If product type indicated does not match the product you require, 
contact your Check Point dealer for assistance. 

This mechanism both confirms correct purchase of the product, by you the client, and 
the legitimacy of the product, in as much that you will know that: 

a. The CD-ROM and license key have been issued in combination by 
Check Point. 

b. The software supplied is a legitimately produced version. 

c. The software has not been registered previously. 
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